如何使用WPScan在WordPress网站上查找安全漏洞（）

本文概述

在CentOS上使用
在Kali Linux上使用WPScan
使用Docker
WPScan支持的在线扫描仪

数以百万计的网站由WordPress提供支持, 并排名第一, 在CMS世界中占有62％的市场份额。
【如何使用WPScan在WordPress网站上查找安全漏洞（）】Acunetix最近发布的Web应用程序漏洞报告显示, 大约30％的WordPress网站被发现易受攻击。

文章图片
有很多在线安全扫描程序可以扫描你的网站。但是, 如果你正在寻找要从服务器安装和扫描的软件, 则WPScan是你的朋友。如果你的网站位于不可用Internet的专用网络或Intranet上, 则将很有用。或者, 想要多次测试多个站点。
WPScan是免费软件, 可帮助你确定WordPress网站上与安全相关的问题。它执行以下几项操作：

检查网站是否使用易受攻击的WP版本
检查主题和插件是否为最新或已知易受攻击
检查廷图姆
检查配置备份, 数据库导出
蛮力攻击

还有更多……
有几种使用WPScan的方法。

通过在Linux服务器上安装
使用Docker
使用预装的Linux发行版, 例如Kali Linux, BackBox, Pentoo, BlackArch等。
在线版

在CentOS上使用以下在CentOS 7.x上进行了测试。

用root登录到CentOS
更新资料库

yum update -y

安装最新的Ruby及其依赖项

yum -y install curl gpg gcc gcc-c++ make patch autoconf automake bison libffi-devel libtool patch readline-devel sqlite-devel zlib-devel openssl-devel & & gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB & & curl -sSL https://get.rvm.io | bash -s stable --ruby

安装Ruby Nokogiri

yum -y install rubygem-nokogiri

重新启动服务器, 然后使用gem命令安装WPScan

gem install wpscan

安装将需要几秒钟的时间, 安装完成后；你应该会看到类似这样的内容。

Done installing documentation for ffi, get_process_mem, mini_portile2, nokogiri, concurrent-ruby, i18n, thread_safe, tzinfo, zeitwerk, activesupport, public_suffix, addressable, opt_parse_validator, ruby-progressbar, ethon, typhoeus, yajl-ruby, sys-proctable, cms_scanner, wpscan after 32 seconds20 gems installed

WPScan已安装并可以立即使用。执行wpscan, 你应该在下面看到它的返回。

[[email protected] ~]# wpscanOne of the following options is required: url, update, help, hh, versionPlease use --help/-h for the list of available options.[[email protected] ~]#

这是该网站测试之一的输出。

[[email protected] ~]# wpscan --url https://geekflaresg.com_____________________________________________________________________________\ \/ /__ \ / ____|\ \/\/ /| |__) | (________ _ _ __ ?\ \/\/ / |___/ \___ \ / __|/ _` | '_ \\/\/| |____) | (__| (_| | | | |\/\/|_||_____/ \___|\__, _|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.7.6Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: https://geekflaresg.com/[+] Started: Wed Jan8 21:14:16 2020Interesting Finding(s):[+] https://geekflaresg.com/ | Interesting Entries: |- Server: nginx |- X-Cache-Enabled: True |- Host-Header: 5d77dd967d63c3104bced1db0cace49c |- X-Proxy-Cache: MISS | Found By: Headers (Passive Detection) | Confidence: 100%[+] https://geekflaresg.com/robots.txt | Interesting Entries: |- /wp-admin/ |- /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100%[+] https://geekflaresg.com/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |- http://codex.wordpress.org/XML-RPC_Pingback_API |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner |- https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login |- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] https://geekflaresg.com/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%[+] https://geekflaresg.com/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |- https://www.iplocation.net/defend-wordpress-from-ddos |- https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.3.2 identified (Latest, released on 2019-12-18). | Found By: Rss Generator (Passive Detection) |- https://geekflaresg.com/feed/, https://wordpress.org/?v=5.3.2 |- https://geekflaresg.com/comments/feed/, https://wordpress.org/?v=5.3.2[+] WordPress theme in use: twentyseventeen | Location: https://geekflaresg.com/wp-content/themes/twentyseventeen/ | Last Updated: 2019-05-07T00:00:00.000Z | Readme: https://geekflaresg.com/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.2 | Style URL: https://geekflaresg.com/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 2.1 (80% confidence) | Found By: Style (Passive Detection) |- https://geekflaresg.com/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.1'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 < ===================================================================================================> (21 / 21) 100.00% Time: 00:00:01[i] No Config Backups Found.[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up[+] Finished: Wed Jan8 21:14:28 2020[+] Requests Done: 51[+] Cached Requests: 7[+] Data Sent: 9.52 KB[+] Data Received: 369.97 KB[+] Memory used: 202.898 MB[+] Elapsed time: 00:00:12[[email protected] ~]#

注意：如果需要在输出中提供漏洞数据, 则需要使用其API。
如果你对测试特定指标感兴趣, 请通过使用– help语法执行wpscan来查看帮助。

[[email protected] ~]# wpscan --hh_____________________________________________________________________________\ \/ /__ \ / ____|\ \/\/ /| |__) | (________ _ _ __ ?\ \/\/ / |___/ \___ \ / __|/ _` | '_ \\/\/| |____) | (__| (_| | | | |\/\/|_||_____/ \___|\__, _|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.7.6Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________Usage: wpscan [options]--url URLThe URL of the blog to scanAllowed Protocols: http, httpsDefault Protocol if none provided: httpThis option is mandatory unless update or help or hh or version is/are supplied-h, --helpDisplay the simple help and exit--hhDisplay the full help and exit--versionDisplay the version and exit--ignore-main-redirectIgnore the main redirect (if any) and scan the target url-v, --verboseVerbose mode--[no-]bannerWhether or not to display the bannerDefault: true--max-scan-duration SECONDSAbort the scan if it exceeds the time provided in seconds-o, --output FILEOutput to FILE-f, --format FORMATOutput results in the format suppliedAvailable choices: cli-no-colour, cli-no-color, cli, json--detection-mode MODEDefault: mixedAvailable choices: mixed, passive, aggressive--scope DOMAINSComma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tldSeparator to use between the values: ', '--user-agent, --ua VALUE--headers HEADERSAdditional headers to append in requestsSeparator to use between the headers: '; 'Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'--vhost VALUEThe virtual host (Host header) to use in requests--random-user-agent, --ruaUse a random user-agent for each scan--user-agents-list FILE-PATHList of agents to use with --random-user-agentDefault: /usr/local/rvm/gems/ruby-2.6.3/gems/cms_scanner-0.8.1/app/user_agents.txt--http-auth login:password-t, --max-threads VALUEThe max threads to useDefault: 5--throttle MilliSecondsMilliseconds to wait before doing another web request. If used, the max threads will be set to 1.--request-timeout SECONDSThe request timeout in secondsDefault: 60--connect-timeout SECONDSThe connection timeout in secondsDefault: 30--disable-tls-checksDisables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)--proxy protocol://IP:portSupported protocols depend on the cURL installed--proxy-auth login:password--cookie-string COOKIECookie string to use in requests, format: cookie1=value1[; cookie2=value2]--cookie-jar FILE-PATHFile to read and write cookiesDefault: /tmp/wpscan/cookie_jar.txt--cache-ttl TIME_TO_LIVEThe cache time to live in secondsDefault: 600--clear-cacheClear the cache before the scan--cache-dir PATHDefault: /tmp/wpscan/cache--server SERVERForce the supplied server module to be loadedAvailable choices: apache, iis, nginx--forceDo not check if the target is running WordPress--[no-]updateWhether or not to update the Database--api-token TOKENThe WPVulnDB API Token to display vulnerability data--wp-content-dir DIRThe wp-content directory if custom or not detected, such as "wp-content"--wp-plugins-dir DIRThe plugins directory if custom or not detected, such as "wp-content/plugins"--interesting-findings-detection MODEUse the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive--wp-version-allCheck all the version locations--wp-version-detection MODEUse the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--main-theme-detection MODEUse the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive-e, --enumerate [OPTS]Enumeration ProcessAvailable Choices:vpVulnerable pluginsapAll pluginspPopular pluginsvtVulnerable themesatAll themestPopular themesttTimthumbscbConfig backupsdbeDb exportsuUser IDs range. e.g: u1-5Range separator to use: '-'Value if no argument supplied: 1-10mMedia IDs range. e.g m1-15Note: Permalink setting must be set to "Plain" for those to be detectedRange separator to use: '-'Value if no argument supplied: 1-100Separator to use between the values: ', 'Default: All Plugins, Config BackupsValue if no argument supplied: vp, vt, tt, cb, dbe, u, mIncompatible choices (only one of each group/s can be used):- vp, ap, p- vt, at, t--exclude-content-based REGEXP_OR_STRINGExclude all responses matching the Regexp (case insensitive) during parts of the enumeration.Both the headers and body are checked. Regexp delimiters are not required.--plugins-list LISTList of plugins to enumerateExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--plugins-detection MODEUse the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode.Default: passiveAvailable choices: mixed, passive, aggressive--plugins-version-allCheck all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)--plugins-version-detection MODEUse the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes.Default: mixedAvailable choices: mixed, passive, aggressive--plugins-threshold THRESHOLDRaise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold.Default: 100--themes-list LISTList of themes to enumerateExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--themes-detection MODEUse the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--themes-version-allCheck all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)--themes-version-detection MODEUse the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes.Available choices: mixed, passive, aggressive--themes-threshold THRESHOLDRaise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold.Default: 20--timthumbs-list FILE-PATHList of timthumbs' location to useDefault: /root/.wpscan/db/timthumbs-v3.txt--timthumbs-detection MODEUse the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--config-backups-list FILE-PATHList of config backups' filenames to useDefault: /root/.wpscan/db/config_backups.txt--config-backups-detection MODEUse the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--db-exports-list FILE-PATHList of DB exports' paths to useDefault: /root/.wpscan/db/db_exports.txt--db-exports-detection MODEUse the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--medias-detection MODEUse the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive--users-list LISTList of users to check during the users enumeration from the Login Error MessagesExamples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--users-detection MODEUse the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.Available choices: mixed, passive, aggressive-P, --passwords FILE-PATHList of passwords to use during the password attack.If no --username/s option supplied, user enumeration will be run.-U, --usernames LISTList of usernames to use during the password attack.Examples: 'a1', 'a1, a2, a3', '/tmp/a.txt'--multicall-max-passwords MAX_PWDMaximum number of passwords to send by request with XMLRPC multicallDefault: 500--password-attack ATTACKForce the supplied attack to be used rather than automatically determining one.Available choices: wp-login, xmlrpc, xmlrpc-multicall--stealthyAlias for --random-user-agent --detection-mode passive --plugins-version-detection passive[[email protected] ~]#

在Kali Linux上使用WPScan 使用Kali Linux的好处在于你无需安装任何东西。 WPScan已预安装。
让我们了解一下如何运行扫描仪。