如何使用WPScan在WordPress网站上查找安全漏洞()

本文概述

  • 在CentOS上使用
  • 在Kali Linux上使用WPScan
  • 使用Docker
  • WPScan支持的在线扫描仪
数以百万计的网站由WordPress提供支持, 并排名第一, 在CMS世界中占有62%的市场份额。
【如何使用WPScan在WordPress网站上查找安全漏洞()】Acunetix最近发布的Web应用程序漏洞报告显示, 大约30%的WordPress网站被发现易受攻击。
如何使用WPScan在WordPress网站上查找安全漏洞()

文章图片
有很多在线安全扫描程序可以扫描你的网站。但是, 如果你正在寻找要从服务器安装和扫描的软件, 则WPScan是你的朋友。如果你的网站位于不可用Internet的专用网络或Intranet上, 则将很有用。或者, 想要多次测试多个站点。
WPScan是免费软件, 可帮助你确定WordPress网站上与安全相关的问题。它执行以下几项操作:
  • 检查网站是否使用易受攻击的WP版本
  • 检查主题和插件是否为最新或已知易受攻击
  • 检查廷图姆
  • 检查配置备份, 数据库导出
  • 蛮力攻击
还有更多……
有几种使用WPScan的方法。
  • 通过在Linux服务器上安装
  • 使用Docker
  • 使用预装的Linux发行版, 例如Kali Linux, BackBox, Pentoo, BlackArch等。
  • 在线版
在CentOS上使用 以下在CentOS 7.x上进行了测试。
  • 用root登录到CentOS
  • 更新资料库
yum update -y

  • 安装最新的Ruby及其依赖项
yum -y install curl gpg gcc gcc-c++ make patch autoconf automake bison libffi-devel libtool patch readline-devel sqlite-devel zlib-devel openssl-devel & & gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB & & curl -sSL https://get.rvm.io | bash -s stable --ruby

  • 安装Ruby Nokogiri
yum -y install rubygem-nokogiri

  • 重新启动服务器, 然后使用gem命令安装WPScan
gem install wpscan

安装将需要几秒钟的时间, 安装完成后;你应该会看到类似这样的内容。
Done installing documentation for ffi, get_process_mem, mini_portile2, nokogiri, concurrent-ruby, i18n, thread_safe, tzinfo, zeitwerk, activesupport, public_suffix, addressable, opt_parse_validator, ruby-progressbar, ethon, typhoeus, yajl-ruby, sys-proctable, cms_scanner, wpscan after 32 seconds20 gems installed

WPScan已安装并可以立即使用。执行wpscan, 你应该在下面看到它的返回。
[[email  protected] ~]# wpscanOne of the following options is required: url, update, help, hh, versionPlease use --help/-h for the list of available options.[[email  protected] ~]#

这是该网站测试之一的输出。
[[email  protected] ~]# wpscan --url https://geekflaresg.com_____________________________________________________________________________\ \/ /__ \ / ____|\ \/\/ /| |__) | (________ _ _ __ ?\ \/\/ / |___/ \___ \ / __|/ _` | '_ \\/\/| |____) | (__| (_| | | | |\/\/|_||_____/ \___|\__, _|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.7.6Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: https://geekflaresg.com/[+] Started: Wed Jan8 21:14:16 2020Interesting Finding(s):[+] https://geekflaresg.com/ | Interesting Entries: |- Server: nginx |- X-Cache-Enabled: True |- Host-Header: 5d77dd967d63c3104bced1db0cace49c |- X-Proxy-Cache: MISS | Found By: Headers (Passive Detection) | Confidence: 100%[+] https://geekflaresg.com/robots.txt | Interesting Entries: |- /wp-admin/ |- /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100%[+] https://geekflaresg.com/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |- http://codex.wordpress.org/XML-RPC_Pingback_API |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner |- https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] https://geekflaresg.com/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] https://geekflaresg.com/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |- https://www.iplocation.net/defend-wordpress-from-ddos |- https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.3.2 identified (Latest, released on 2019-12-18). | Found By: Rss Generator (Passive Detection) |- https://geekflaresg.com/feed/, https://wordpress.org/?v=5.3.2 |- https://geekflaresg.com/comments/feed/, https://wordpress.org/?v=5.3.2[+] WordPress theme in use: twentyseventeen | Location: https://geekflaresg.com/wp-content/themes/twentyseventeen/ | Last Updated: 2019-05-07T00:00:00.000Z | Readme: https://geekflaresg.com/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.2 | Style URL: https://geekflaresg.com/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 2.1 (80% confidence) | Found By: Style (Passive Detection) |- https://geekflaresg.com/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.1'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 < ===================================================================================================> (21 / 21) 100.00% Time: 00:00:01[i] No Config Backups Found.[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up[+] Finished: Wed Jan8 21:14:28 2020[+] Requests Done: 51[+] Cached Requests: 7[+] Data Sent: 9.52 KB[+] Data Received: 369.97 KB[+] Memory used: 202.898 MB[+] Elapsed time: 00:00:12[[email  protected] ~]#

注意:如果需要在输出中提供漏洞数据, 则需要使用其API。
如果你对测试特定指标感兴趣, 请通过使用– help语法执行wpscan来查看帮助。
[[email  protected] ~]# wpscan --hh_____________________________________________________________________________\ \/ /__ \ / ____|\ \/\/ /| |__) | (________ _ _ __ ?\ \/\/ / |___/ \___ \ / __|/ _` | '_ \\/\/| |____) | (__| (_| | | | |\/\/|_||_____/ \___|\__, _|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.7.6Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________Usage: wpscan [options]--url URLThe URL of the blog to scanAllowed Protocols: http, httpsDefault Protocol if none provided: httpThis option is mandatory unless update or help or hh or version is/are supplied-h, --helpDisplay the simple help and exit--hhDisplay the full help and exit--versionDisplay the version and exit--ignore-main-redirectIgnore the main redirect (if any) and scan the target url-v, --verboseVerbose mode--[no-]bannerWhether or not to display the bannerDefault: true--max-scan-duration SECONDSAbort the scan if it exceeds the time provided in seconds-o, --output FILEOutput to FILE-f, --format FORMATOutput results in the format suppliedAvailable choices: cli-no-colour, cli-no-color, cli, json--detection-mode MODEDefault: mixedAvailable choices: mixed, passive, aggressive--scope DOMAINSComma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tldSeparator to use between the values: ', '--user-agent, --ua VALUE--headers HEADERSAdditional headers to append in requestsSeparator to use between the headers: '; 'Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'--vhost VALUEThe virtual host (Host header) to use in requests--random-user-agent, --ruaUse a random user-agent for each scan--user-agents-list FILE-PATHList of agents to use with --random-user-agentDefault: /usr/local/rvm/gems/ruby-2.6.3/gems/cms_scanner-0.8.1/app/user_agents.txt--http-auth login:password-t, --max-threads VALUEThe max threads to useDefault: 5--throttle MilliSecondsMilliseconds to wait before doing another web request. If used, the max threads will be set to 1.--request-timeout SECONDSThe request timeout in secondsDefault: 60--connect-timeout SECONDSThe connection timeout in secondsDefault: 30--disable-tls-checksDisables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)--proxy protocol://IP:portSupported protocols depend on the cURL installed--proxy-auth login:password--cookie-string COOKIECookie string to use in requests, format: cookie1=value1[; cookie2=value2]--cookie-jar FILE-PATHFile to read and write cookiesDefault: /tmp/wpscan/cookie_jar.txt--cache-ttl TIME_TO_LIVEThe cache time to live in secondsDefault: 600--clear-cacheClear the cache before the scan--cache-dir PATHDefault: /tmp/wpscan/cache--server SERVERForce the supplied server module to be loadedAvailable choices: apache, iis, nginx--forceDo not check if the target is running WordPress--[no-]updateWhether or not to update the Database--api-token TOKENThe WPVulnDB API Token to display vulnerability data--wp-content-dir DIRThe wp-content directory if custom or not detected, such as "wp-content"--wp-plugins-dir DIRThe plugins directory if custom or not detected, such as "wp-content/plugins"--interesting-findings-detection MODEUse the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive--wp-version-allCheck all the version locations--wp-version-detection MODEUse the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--main-theme-detection MODEUse the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive-e, --enumerate [OPTS]Enumeration ProcessAvailable Choices:vpVulnerable pluginsapAll pluginspPopular pluginsvtVulnerable themesatAll themestPopular themesttTimthumbscbConfig backupsdbeDb exportsuUser IDs range. e.g: u1-5Range separator to use: '-'Value if no argument supplied: 1-10mMedia IDs range. e.g m1-15Note: Permalink setting must be set to "Plain" for those to be detectedRange separator to use: '-'Value if no argument supplied: 1-100Separator to use between the values: ', 'Default: All Plugins, Config BackupsValue if no argument supplied: vp, vt, tt, cb, dbe, u, mIncompatible choices (only one of each group/s can be used):- vp, ap, p- vt, at, t--exclude-content-based REGEXP_OR_STRINGExclude all responses matching the Regexp (case insensitive) during parts of the enumeration.Both the headers and body are checked. Regexp delimiters are not required.--plugins-list LISTList of plugins to enumerateExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--plugins-detection MODEUse the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.Default: passiveAvailable choices: mixed, passive, aggressive--plugins-version-allCheck all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)--plugins-version-detection MODEUse the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes.Default: mixedAvailable choices: mixed, passive, aggressive--plugins-threshold THRESHOLDRaise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold.Default: 100--themes-list LISTList of themes to enumerateExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--themes-detection MODEUse the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--themes-version-allCheck all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)--themes-version-detection MODEUse the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes.Available choices: mixed, passive, aggressive--themes-threshold THRESHOLDRaise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold.Default: 20--timthumbs-list FILE-PATHList of timthumbs' location to useDefault: /root/.wpscan/db/timthumbs-v3.txt--timthumbs-detection MODEUse the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--config-backups-list FILE-PATHList of config backups' filenames to useDefault: /root/.wpscan/db/config_backups.txt--config-backups-detection MODEUse the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--db-exports-list FILE-PATHList of DB exports' paths to useDefault: /root/.wpscan/db/db_exports.txt--db-exports-detection MODEUse the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--medias-detection MODEUse the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--users-list LISTList of users to check during the users enumeration from the Login Error MessagesExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--users-detection MODEUse the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive-P, --passwords FILE-PATHList of passwords to use during the password attack.If no --username/s option supplied, user enumeration will be run.-U, --usernames LISTList of usernames to use during the password attack.Examples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--multicall-max-passwords MAX_PWDMaximum number of passwords to send by request with XMLRPC multicallDefault: 500--password-attack ATTACKForce the supplied attack to be used rather than automatically determining one.Available choices: wp-login, xmlrpc, xmlrpc-multicall--stealthyAlias for --random-user-agent --detection-mode passive --plugins-version-detection passive[[email  protected] ~]#

在Kali Linux上使用WPScan 使用Kali Linux的好处在于你无需安装任何东西。 WPScan已预安装。
让我们了解一下如何运行扫描仪。
  • 使用root和开放终端登录到Kali Linux
  • 使用wpscan命令运行扫描
wpscan --url https://mysite.com

使用Docker Docker粉丝?
为什么不呢, 它很容易上手。确保已安装Docker。
  • 拉WPScan泊坞窗映像
docker pull wpscanteam/wpscan

  • 一旦拉出, 请像下面那样运行。
docker run -it --rm wpscanteam/wpscan --url https://example.com

简单?
WPScan支持的在线扫描仪 你可以利用WPScan支持的以下工具。
极光
Geekflare WordPress安全扫描程序可让你快速查找给定的WordPress网站是否存在易受攻击的核心版本, 主题, 插件等。
如何使用WPScan在WordPress网站上查找安全漏洞()

文章图片
除了WPScan指标外, 它还会检查以下内容。
  • 管理控制台是否公开?
  • 如果Google认为安全
  • 可通过HTTPS访问
  • 如果前端JavaScript库容易受到攻击
你不需要注册帐户;你可以免费按需运行测试。
渗透测试工具
Pentest-Tools的工具可让你按需测试WP网站并生成报告。
如何使用WPScan在WordPress网站上查找安全漏洞()

文章图片
下一步是什么?
做得好!如果你的网站不容易受到攻击。但是, 如果这样做, 则可以处理那些风险项目。如果你不确定如何缓解它们, 请寻求专业帮助。

    推荐阅读