如何使用WPScan

渗透笔记 | 📅 2020-09-25 | wordpress

WPScan是什么

WordPress Security Scanner by the WPScan Team

它是一款针对WordPress的安全扫描器,由WPScan团队开发并维护。

WPScan能做什么

其基本功能大致有以下几点:

  1. 检查WordPress版本
  2. 枚举已安装插件、以及详细信息
  3. 枚举已安装主题、以及详细信息
  4. 枚举用户名
  5. 依赖 wpvulndb.com 提供的数据,枚举已知漏洞
  6. 暴力破解用户密码

WPScan怎么用

一般情况下,对自己的网站进行安全性测试,做下述几件事:

  1. 枚举带漏洞的插件
  2. 枚举带漏洞的主题
  3. 枚举用户,并进行暴力破解

前两项是防止插件和主题为站点引入漏洞,第三项是为了防止弱口令攻击。

获取站点基本信息

我们可以直接使用 --url 参数指定目标站点,如下:

wpscan --url http://www.xxx.com

此时,WPScan会输出一些我们“感兴趣”的信息:

  1. 从HTTP Headers里提取的信息(一般是服务器信息,如nginx、apache等)
  2. XML-RPC的启动情况
  3. readme文件
  4. WP-Cron定时任务的启动情况
  5. WordPress版本
  6. 当前应用的主题及其版本
  7. 易被攻击的插件
  8. 易被攻击的主题

枚举站点所有主题和插件

使用 -e 参数指定 apat

wpscan --url http://www.xxx.com -e ap,at

此时,WPScan的结果中,将包含所有的插件和主题信息。

枚举站点用户名

使用 -e 参数指定 u

wpscan --url http://www.xxx.com -e u

这样,WPScan的结果中,将包含前十个用户的用户名。

如需更多的枚举,则可以修改命令为:

wpscan --url http://www.xxx.com -e u1-20

此时,将枚举20个用户名。

针对用户暴力破解其密码

使用 -e 参数指定 u ,并配合 -P 参数指定密码字典

wpscan --url http://www.xxx.com -e u -P wordlist.txt

此时,WPScan将对枚举出的用户使用 wordlist.txt 文件中指定的密码进行暴力破解。如果破解成功,则会在结果中输出,如下:

......
[+] Performing password attack on Xmlrpc against 56 user/s
[SUCCESS] - aaa / 12345678
[SUCCESS] - bbb / 12345678
[SUCCESS] - ccc / 123456789
......

这就是分别破解出了用户 “aaa”、“bbb”、“ccc” 三人的密码。

至于密码字典怎么来的,可以直接百度找“弱口令top1000”之类的东西,这个比较容易获得。

提升站点安全性

我们可以使用WPScan发现我们WordPress网站的弱点,并针对性加以修复:

  1. 定期更新WordPress以及其中的插件和主题
  2. 卸载易受攻击的插件和主题
  3. 卸载不使用的插件
  4. 提醒或者强制用户使用强密码

WPScan帮助文档

设置代理、自定义数据集等功能,WPScan也是支持的。请自行参阅WPScan的帮助文档

``` _____________________ __ ___ ___ \ \ / / __ \ / __| \ \ /\ / /| |) | (_ ___ __ _ _ __ ® \ \/ \/ / | __/ ___ \ / __|/ _` | ‘
\ /\ / | | __
) | (| (| | | | | \/ \/ || |/ _|_,|| |_|

     WordPress Security Scanner by the WPScan Team
                     Version 3.8.7
   Sponsored by Automattic - https://automattic.com/
   @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________

Usage: wpscan [options] –url URL The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or hh or version is/are supplied -h, –help Display the simple help and exit –hh Display the full help and exit –version Display the version and exit –ignore-main-redirect Ignore the main redirect (if any) and scan the target url -v, –verbose Verbose mode –[no-]banner Whether or not to display the banner Default: true –max-scan-duration SECONDS Abort the scan if it exceeds the time provided in seconds -o, –output FILE Output to FILE -f, –format FORMAT Output results in the format supplied Available choices: cli-no-colour, cli-no-color, json, cli –detection-mode MODE Default: mixed Available choices: mixed, passive, aggressive –scope DOMAINS Comma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld Separator to use between the values: ‘,’ –user-agent, –ua VALUE –headers HEADERS Additional headers to append in requests Separator to use between the headers: ‘; ‘ Examples: ‘X-Forwarded-For: 127.0.0.1’, ‘X-Forwarded-For: 127.0.0.1; Another: aaa’ –vhost VALUE The virtual host (Host header) to use in requests –random-user-agent, –rua Use a random user-agent for each scan –user-agents-list FILE-PATH List of agents to use with –random-user-agent Default: /usr/share/rubygems-integration/all/gems/cms_scanner-0.12.1/app/user_agents.txt –http-auth login:password -t, –max-threads VALUE The max threads to use Default: 5 –throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. –request-timeout SECONDS The request timeout in seconds Default: 60 –connect-timeout SECONDS The connection timeout in seconds Default: 30 –disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter) –proxy protocol://IP:port Supported protocols depend on the cURL installed –proxy-auth login:password –cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2] –cookie-jar FILE-PATH File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt –cache-ttl TIME_TO_LIVE The cache time to live in seconds Default: 600 –clear-cache Clear the cache before the scan –cache-dir PATH Default: /tmp/wpscan/cache –server SERVER Force the supplied server module to be loaded Available choices: apache, iis, nginx –force Do not check if the target is running WordPress –[no-]update Whether or not to update the Database –api-token TOKEN The WPVulnDB API Token to display vulnerability data –wp-content-dir DIR The wp-content directory if custom or not detected, such as “wp-content” –wp-plugins-dir DIR The plugins directory if custom or not detected, such as “wp-content/plugins” –interesting-findings-detection MODE Use the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive –wp-version-all Check all the version locations –wp-version-detection MODE Use the supplied mode for the WordPress version detection, instead of the global (–detection-mode) mode. Available choices: mixed, passive, aggressive –main-theme-detection MODE Use the supplied mode for the Main theme detection, instead of the global (–detection-mode) mode. Available choices: mixed, passive, aggressive -e, –enumerate [OPTS] Enumeration Process Available Choices: vp Vulnerable plugins ap All plugins p Popular plugins vt Vulnerable themes at All themes t Popular themes tt Timthumbs cb Config backups dbe Db exports u User IDs range. e.g: u1-5 Range separator to use: ‘-‘ Value if no argument supplied: 1-10 m Media IDs range. e.g m1-15 Note: Permalink setting must be set to “Plain” for those to be detected Range separator to use: ‘-‘ Value if no argument supplied: 1-100 Separator to use between the values: ‘,’ Default: All Plugins, Config Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible choices (only one of each group/s can be used): - vp, ap, p - vt, at, t –exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiter…