Category:

WPScan

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Database

WPSeku – Wordpress Security Scanner

by blackMORE November 29, 2017

written by blackMORE

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Features of WPSeku WordPress Security Scanner

WPSeku supports various types of scanning including:

Testing for XSS Vulnerabilities
Testing for SQL Injection Vulnerabilities
Testing for LFI Vulnerabilities
Bruteforce login via xmlrpc
Username Enumeration
Proxy Support
Method (GET/POST)
Custom Wordlists
Custom user-agent

It also uses the WPVulnDB Vulnerability Database API at https://wpvulndb.com/api.

Installation

$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
$ cd wpseku
$ pip install -r requirements.txt
$ python wpseku.py

Usage

python wpseku.py –target http://site.com –ragent

\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - Wordpress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku


Usage: ./wpseku.py [--target|-t] http://localhost
		-t --target		Target URL (eg: http://localhost)
		-x --xss		Testing XSS vulns
		-s --sql		Testing SQL vulns
		-l --lfi		Testing LFI vulns
		-q --query		Testable parameters (eg: "id=1&test=1")
		-b --brute		Bruteforce login via xmlrpc
		-u --user		Set username, default=admin
		-p --proxy		Set proxy, (host:port)
		-m --method		Set method (GET/POST)
		-c --cookie		Set cookies
		-w --wordlist	Set wordlist
		-a --agent		Set user-agent
		-r --redirect	Redirect target url, default=True
		-h --help		Show this help and exit

Examples:
		wpseku.py --target http://localhost
		wpseku.py -t http://localhost/wp-admin/post.php -m GET -q "post=49&action=edit" [-x,-s,-l]
		wpseku.py --target http://localhost --brute --wordlist dict.txt
		wpseku.py --target http://localhost --brute --user test --wordlist dict.txt

Credits and Contributors

Original idea and script from WPScan Team (https://wpscan.org/)

WPScan Vulnerability Database (https://wpvulndb.com/api)

– Plecost – WordPress Fingerprinting Tool
– CMSmap – Content Management System Security Scanner
– WPScan – WordPress Vulnerability Scanner

You can download WPSeku here: WPSeku-master.zip

Or read more here.

November 29, 2017 0 comments

Security

WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2

by blackMORE November 25, 2013

written by blackMORE

This is a part 2 of the guide WPSCAN and quick wordpress security. It guides reader on how to fix Directory listing in Wordpress. Read part 1 here WPSCAN and quick wordpress security – Part 1

Run WPSCAN

WPSCAN shows I have Directory listing enabled.

root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.2
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 14:53:26 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ... 
 |  2 plugins found:

 | Name: google-analyticator
 | Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
 | Directory listing enabled: Yes

 | Name: jetpack
 | Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/
 | Directory listing enabled: Yes

[+] Finished: Sun Nov 24 14:54:50 2013
[+] Memory used: 2.742 MB
[+] Elapsed time: 00:01:23
Exiting!
root@kali:~#

So how to fix this?

Fixing Directory Listing:

Option 1:

This is the easiest method of all. Add the following line to the .htaccess file that lives at root…

Options -Indexes

This will automatically turn off indexing for ALL folders/subfolders sitewide. If you add that line to a .htaccess file in wp-contents it will disable indexing not only for that folder but for the folders below it and so forth.

Options 2:

Add the following line to the .htaccess file that lives at root…

IndexIgnore *

The * matches all files in the directory. What is the difference between the two? Method b allows you to restrict only a subset of files from being viewed. For example, let’s say for some reason you want the directory content to be viewable but block image files. You would do this…

IndexIgnore *.gif *.png *.jpg

Thats should do it.

Let’s put it to the test..

Testing:

Do another wpscan

root@kali:~#
root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version v2.2
Sponsored by the RandomStorm Open Source Initiative
@_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 15:19:30 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
|  2 plugins found:

| Name: google-analyticator
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/

| Name: jetpack
| Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/

[+] Finished: Sun Nov 24 15:21:18 2013
[+] Memory used: 2.734 MB
[+] Elapsed time: 00:01:47
Exiting!
root@kali:~#

Nice, worked like a charm, no more Directory listing enabled warning. Don’t forget to read part of this guide WPSCAN and quick wordpress security – Part 1.

November 25, 2013 0 comments

Sound

WPSCAN and quick wordpress security

by blackMORE October 14, 2013

written by blackMORE

This is a quick and simple guide utilizing wpscan to scan wordpress and fix some security issues. Very simple and easy to follow.

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

A simple WPSCAN done on my site:

# wpscan --url www.blackmoreops.com

Output:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:39:25 2013
[31m[!][0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!][0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:39:51 2013[0m
[32m[+] Elapsed time: 00:00:26[0m

Two things that were marked as possible vulnerabilities:

[31m[!][0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!][0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'

readme.html file should be deleted as it gives away version info. Now there are more ways to find WP version, but usual scans will depend on it to determine version info. Not that it makes much of a difference, why keep something you don’t need?

Full Path Disclosure (FPD) will give away your folder structure and username. We would like to fix that.

readme.html file can be deleted safely. So that fixes that problem.

For FPD, add the following line to your .htaccess file in root folder.

php_flag display_errors off

This would fix the problem.

Now lets see how WPSCAN behaves when we do another scan:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:56:46 2013
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:57:46 2013[0m
[32m[+] Elapsed time: 00:00:59[0m

There you go, both warning fixed.

Saying all that try to follow these 3 steps to make your site more secured:

Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts.
Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the pentester do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

October 14, 2013 2 comments