WPScan基本使用
2024-05-09 14:33:12
WPScan基本使用
- WPScan 简介
- WPScan 参数
- WPScan 扫描指定站点
- WPScan 扫描指定用户
- WPScan 扫描插件漏洞
- WPScan 扫描主题漏洞
- WPScan 更新数据漏洞库
- WPScan 暴力破解得到密码
- WPScan TimThumbs文件漏洞扫描
- WordPress 防护措施
WPScan 简介
WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括WordPress本身的漏洞、插件漏洞和主题漏洞,最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞,并且支持最新版本的WordPress,值得注意的是,它不仅能够扫描类似robots.txt这样的敏感文件,而且还能够检测当前已启用的插件和其他功能- 该扫描器可以实现获取站点用户名,获取安装的所有插件、主题,以及存在漏洞的插件、主题,并提供漏洞信息,同时还可以实现对未加防护的
Wordpress站点暴力破解用户名密码。
WPScan已经被预安装在以下Linux系统中:
- BackBox Linux
- Kali Linux
- Pentoo
- SamuraiWTF
- BlackArch
WPScan 参数
使用
wpscan -h可以查看各种参数以及定义
常用选项
- –update 更新到最新版本
- –url |
-u <target url>要扫描的WordPress站点- –force |
-f不检查网站运行的是不是WordPress- –enumerate |
-e [option(s)]枚举
其他选项
- u 枚举用户名,默认从1-10
- u[10-20] 枚举用户名,配置从10-20
- p 枚举插件
- vp 只枚举有漏洞的插件
- ap 枚举所有插件,时间较长
- tt 列举缩略图相关的文件
- t 枚举主题信息
- vt 只枚举存在漏洞的主题
- at 枚举所有主题,时间较长
- 可以指定多个扫描选项,例:
"-e tt,p"- 如果没有指定选项,默认选项为:
"vt,tt,u,vp"- –exclude-content-based
"<regexp or string>"- 当使用枚举选项时,可以使用该参数做一些过滤,基于正则或者字符串,可以不写正则分隔符,但要用单引号或双引号包裹
- –config-file |
-c <config file使用指定的配置文件>- –user-agent |
-a <User-Agent指定User-Agent>- –cookie
<String指定cookie>- –random-agent |
-r使用随机User-Agent- –follow-redirection 如果目标包含一个重定向,则直接跟随跳转
- –batch 无需用户交互,都使用默认行为
- –no-color 不要采用彩色输出
- –wp-content-dir
<wp content dirWPScan会去发现wp-content目录,用户可手动指定>- –wp-plugins-dir
<wp plugins dir指定wp插件目录,默认是wp-content/plugins>- –proxy
<[protocol://]host:port设置一个代理,可以使用HTTP、SOCKS4、SOCKS4A、SOCKS5,如果未设置默认是HTTP协议>- –proxy-auth
<username:password设置代理登陆信息>- –basic-auth
<username:password设置基础认证信息>- –wordlist |
-w <wordlist指定密码字典>- –username |
-U <username指定爆破的用户名>- –usernames
<path-to-file指定爆破用户名字典>- –threads | -t
<number of threads指定多线程>- –cache-ttl
<cache-ttl设置 cache TTL>- –request-timeout
<request-timeout请求超时时间>- –connect-timeout
<connect-timeout连接超时时间>- –max-threads
<max-threads最大线程数>- –throttle
<milliseconds当线程数设置为1时,设置两个请求之间的间隔>- –help |
-h输出帮助信息- –verbose |
-v输出Verbose- –version 输出当前版本
WPScan 扫描指定站点
- 它会扫描给定的WordPress站点的一些信息,并且列出可能是漏洞的地方,注意这里wpscan判断是否有漏洞,是根据wordpress的版本判定的,只要你的版本低于存在漏洞的版本,那么它就认为存在漏洞,所以,这个没有太多的参考性
- 扫描的结果会显示站点的插件信息、主题信息、用户信息等
wpscan --url [wordpress url]
例如:
wpscan --url http://192.168.56.103/wordpress
┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress
_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.18Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug 5 11:20:00 2021Interesting Finding(s):[+] Headers| Interesting Entries:| - Server: Apache/2.4.7 (Ubuntu)| - X-Powered-By: PHP/5.5.9-1ubuntu4.22| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php| Found By: Link Tag (Passive Detection)| Confidence: 100%| Confirmed By: Direct Access (Aggressive Detection), 100% confidence| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).| Found By: Rss Generator (Passive Detection)| - http://192.168.56.103/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.1</generator>| - http://192.168.56.103/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.1</generator>[+] WordPress theme in use: twentyfifteen| Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/| Last Updated: 2021-07-22T00:00:00.000Z| Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt| [!] The version is out of date, the latest version is 3.0| Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1| Style Name: Twenty Fifteen| Style URI: https://wordpress.org/themes/twentyfifteen/| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.8 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods)Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00[i] No Config Backups Found.[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Thu Aug 5 11:20:03 2021
[+] Requests Done: 139
[+] Cached Requests: 36
[+] Data Sent: 37.797 KB
[+] Data Received: 19.845 KB
[+] Memory used: 211.109 MB
[+] Elapsed time: 00:00:02WPScan 扫描指定用户
wpscan --url https://www.xxxxxxx.wiki/ --enumerate u
WPScan 扫描插件漏洞
- 插件可以扩展WordPress站点的功能,但很多插件中都存在安全漏洞,而这也会给攻击者提供可乘之机
- 可以使用下列命令扫描WordPress站点中安装的插件:
wpscan --url https://www.xxxxx.wiki/ --enumerate p
//备注:--url与-u参数相同,下面雷同
可以使用下列命令来扫描目标插件中的安全漏洞:
wpscan --url https://www.xxxxx.wiki/ --enumerate vp
WPScan 扫描主题漏洞
使用下列命令对主题进行扫描:
wpscan --url https://www.xxxxx.wiki --enumerate t
例如:
wpscan --url http://192.168.56.103/wordpress --enumerate t
┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url http://192.168.56.103/wordpress --enumerate t 1 ⨯
_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.18Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.56.103/wordpress/ [192.168.56.103]
[+] Started: Thu Aug 5 11:21:49 2021Interesting Finding(s):[+] Headers| Interesting Entries:| - Server: Apache/2.4.7 (Ubuntu)| - X-Powered-By: PHP/5.5.9-1ubuntu4.22| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.56.103/wordpress/xmlrpc.php| Found By: Link Tag (Passive Detection)| Confidence: 100%| Confirmed By: Direct Access (Aggressive Detection), 100% confidence| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.56.103/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Registration is enabled: http://192.168.56.103/wordpress/wp-login.php?action=register| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.56.103/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.56.103/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).| Found By: Rss Generator (Passive Detection)| - http://192.168.56.103/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.1</generator>| - http://192.168.56.103/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.1</generator>[+] WordPress theme in use: twentyfifteen| Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/| Last Updated: 2021-07-22T00:00:00.000Z| Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt| [!] The version is out of date, the latest version is 3.0| Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1| Style Name: Twenty Fifteen| Style URI: https://wordpress.org/themes/twentyfifteen/| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.8 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8'[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)Checking Known Locations - Time: 00:00:00 <============================================================================================================================================================> (400 / 400) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)[i] Theme(s) Identified:[+] twentyfifteen| Location: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/| Last Updated: 2021-07-22T00:00:00.000Z| Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/readme.txt| [!] The version is out of date, the latest version is 3.0| Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css| Style Name: Twenty Fifteen| Style URI: https://wordpress.org/themes/twentyfifteen/| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Urls In Homepage (Passive Detection)| Confirmed By: Known Locations (Aggressive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/, status: 500|| Version: 1.8 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8'[+] twentyseventeen| Location: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/| Last Updated: 2021-07-22T00:00:00.000Z| Readme: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/README.txt| [!] The version is out of date, the latest version is 2.8| Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css| Style Name: Twenty Seventeen| Style URI: https://wordpress.org/themes/twentyseventeen/| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Known Locations (Aggressive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/, status: 500|| Version: 1.3 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3'[+] twentysixteen| Location: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/| Last Updated: 2021-07-22T00:00:00.000Z| Readme: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/readme.txt| [!] The version is out of date, the latest version is 2.5| Style URL: http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css| Style Name: Twenty Sixteen| Style URI: https://wordpress.org/themes/twentysixteen/| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Known Locations (Aggressive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/, status: 500|| Version: 1.3 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.56.103/wordpress/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3'[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Thu Aug 5 11:21:50 2021
[+] Requests Done: 411
[+] Cached Requests: 46
[+] Data Sent: 116.627 KB
[+] Data Received: 206.266 KB
[+] Memory used: 167.32 MB
[+] Elapsed time: 00:00:01
使用下列命令扫描主题中存在的漏洞:
wpscan --url https://www.xxxxxx.wiki --enumerate vt
WPScan 更新数据漏洞库
wpscan --update
WPScan 暴力破解得到密码
在暴力破解之前,需要提供一个字典文件
wpscan --url https://www.xxxxx.wiki/ -e u --wordlist 字典文件路径
WPScan TimThumbs文件漏洞扫描
wpscan -u https://www.xxxxxx.wiki/ -enumerate tt
WordPress 防护措施
关于密码爆出防护措施
- 如果你想要避免WordPress用户列表被列举,不要把用户名作为昵称,并且不要使用已经被大众知道的用户名,最好的方式是选择一个包含随机字符的名字做用户名并且使用其他名字作为昵称,WPScan扫描URL来获取用户名,所以如果你不使用这个用户名,你肯定不会被WPScan搜索到
- 防止暴力破解的最好方式是限制一个IP地址的尝试登录次数,WordPress有很多插件可以实现这个功能,列如有一个插件叫
Brute Force Login Protection(当然你也可以写一个脚本防止爆出个人密码)
如何防范扫描插件、主题、TimThumb文件
- 使用
Block Bad Queries (BBQ)插件,就可以屏蔽和禁止这类扫描
WPScan基本使用相关推荐
- Kali Linux WPScan更新到2.9.3
Kali Linux WPScan更新到2.9.3 WPScan是Kali Linux内置的一款Web漏洞扫描工具,专门扫描WordPress模版构建的网站.该工具最近更新到2.9.3.在新版本中,增 ...
- WordPress漏洞扫描工具WPScan
WordPress漏洞扫描工具WPScan WordPress是主流的PHP网站模版,以构建博客而闻名.WordPress可以通过安装插件和主题的方式扩展功能,这也带来的安全隐患.WordPress是 ...
- 记一次用WPScan辅助渗透WordPress站点
记一次用WPScan辅助渗透WordPress站点 一.什么是WPScan? WPScan 是一个扫描 WordPress 漏洞的黑盒子扫描器,它可以为所有 Web 开发人员扫描 WordPress ...
- kali字典_kali黑客系统wpscan工具扫描wordpress漏洞入侵攻击测试教程
WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括主题漏洞.插件漏洞和WordPress本身的漏洞.最新版本WP ...
- wpscan扫描的简单介绍(对WordPress的扫描CMS)
wpscan是专门用来扫描WordPress的扫描工具 可以对于wordpress进行漏洞扫描,还可以对于其中的主题,插件进行扫描.可以说用wpscan扫描WordPress是非常非常方便的 wpsc ...
- wpscan更新失败
wpscan --update 在线更新 更新失败 那就将包下载到本地更新 wget http://blog.dsb.ink/wpscan/wp.zip unzip wp.zip 将刚刚wpscan的 ...
- WPScan使用完整攻略:如何对WordPress站点进行安全测试
https://github.com/wpscanteam/wpscan WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏 ...
- 渗透测试 10 --- 扫描 web目录 (dirb、wfuzz、wpscan、nikto)
github 更多工具:https://github.com/topics/dirb github 上 fuzz 工具.字典:https://github.com/search?q=fuzz 当使用一 ...
- 2022-渗透测试-推荐一款好用的网站漏洞扫描工具-WPscan
目录 WPscan简介 WPscan工具利用 查看帮助信息 更新漏洞库 扫描WordPress漏洞 扫描wordpress用户 扫描所使用的主题和漏洞 指定字典暴力破解密码 WPscan简介 WPSc ...
- WordPress 网站漏洞扫描 wpscan Kali Linux
在 WordPress 网站漏洞扫描,我将向你展示一些有用的命令 , 我们可以使用在 wpscan 搜索已知的漏洞在 wordpress 博客. 打开终端 , 使用下面的命令以启动对目标 wpscan ...
最新文章
- shell之for和if实现批量替换多目录下的文件
- Git 学习(二)版本库创建
- PowerBuilder9对中文字符串的处理方法
- hdu 3392 Pie
- C++数据与我们转移过空间之后
- 2022年的第一个工作日,整理了风控的这些内容
- linux之chattr命令
- 关于jquery获取单选框value属性值为on的问题
- 【LaTex】各种空格的实现(相对quad、qquad、\,、\:、\;、\!、endspace、thinspace、negthinspace绝对vspace和hspace膨胀hfill、vfill)
- Chromium浏览器的一些使用总结
- java爬虫(爬取豆瓣电影排行榜)
- Android开发之打卡功能
- 在深信服实习是怎样的体验(研发测试岗)
- 【测试用例】文本框测试用例
- centOs7 下载vim命令
- 我的世界mypet插件 v1.7.1
- 性能测试报告不会写?最标准的模板来了
- 算法提高 聪明的美食家
- 天池计划task3打卡
- css过滤镜实现颜色渐变