WPSCAN – Encuentre vulnerabilidades en sitios de WordPress

Share this…

WPScan encuentra vulnerabilidades en los sitios web de WordPress. Esta herramienta es conocida por escanear vulnerabilidades dentro de la versión principal, los complementos y los temas de cualquier sitio en WordPress. WPScan incluso encuentra contraseñas débiles, además de problemas de configuración de usuario y de seguridad. Según una investigación realizada por especialistas en hacking ético del Instituto Internacional de Seguridad Cibernética, la mayoría de los sitios web de WordPress que se ejecutan en la red contienen vulnerabilidades.

Nota: – Deberá siempre actualizar la base de datos de WPScan antes de escanear el sitio web en busca de vulnerabilidades

Instalar WPScan

Para instalar desde WPS puede usar github: https://github.com/wpscanteam/wpscan.git

git clone https://github.com/wpscanteam/wpscan

cd wpscan/

bundle install && rake install

O también puede instalar wpscan usando apt-get

  • Para instalar wpscan en el terminal de Linux, escriba sudo apt-get update

  • Luego escriba sudo apt-get install wpscan para instalar wpscan

  • Después de ejecutar la instalación, para iniciar WPScan simplemente vaya al terminal de Linux y escriba wpscan –help. Como se muestra abajo:

  • Puede utilizar cualquier opción para escanear el sitio vulnerable de wordpress

Escanear la URL

 

root@kali:/home/iicybersecurity/wpscan# wpscan --url https://www.shroffeyecentre.com/




[+] URL: https://www.shroffeyecentre.com/

[+] Started: Sun Nov 11 11:05:49 2018

Interesting Finding(s):

[+] https://www.shroffeyecentre.com/

 | Interesting Entry: Server: nginx/1.14.1

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] https://www.shroffeyecentre.com/robots.txt

 | Found By: Robots Txt (Aggressive Detection)

 | Confidence: 100%




[+] https://www.shroffeyecentre.com/xmlrpc.php

 | Found By: Headers (Passive Detection)

 | Confidence: 60%

 | Confirmed By: Link Tag (Passive Detection), 30% confidence

 | References:

 | - https://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access




[+] https://www.shroffeyecentre.com/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




 | - https://www.shroffeyecentre.com/comments/feed/, https://wordpress.org/?v=4.9.8

 | - https://www.shroffeyecentre.com/home/feed/, https://wordpress.org/?v=4.9.8




[+] WordPress theme in use: shroff

 | Location: https://www.shroffeyecentre.com/wp-content/themes/shroff/

 | Style URL: https://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18

 | Style Name: Twenty Thirteen

 | Style URI: https://wordpress.org/themes/twentythirteen

 | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each...

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 |

 | Detected By: Css Style (Passive Detection)

 |

 | Version: 1.1 (80% confidence)

 | Detected By: Style (Passive Detection)

 | - https://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18, Match: 'Version: 1.1'




[+] Enumerating All Plugins

[+] Checking Plugin Versions




[i] Plugin(s) Identified:




[+] contact-form-7

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/

 | Last Updated: 2018-10-29T23:58:00.000Z

 | [!] The version is out of date, the latest version is 5.0.5

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | [!] 1 vulnerability identified:

 |

 | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation

 | Fixed in: 5.0.4

 | References:

 | - https://wpvulndb.com/vulnerabilities/9127

 | - https://contactform7.com/2018/09/04/contact-form-7-504/

 | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7

 |

 | Version: 3.7.2 (20% confidence)

 | Detected By: Query Parameter (Passive Detection)

 | - https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2

 | - https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2




[+] revslider

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/revslider/

 |

 | Detected By: Urls In Homepage (Passive Detection)

 | Confirmed By: Comment (Passive Detection)

 |

 | [!] 2 vulnerabilities identified:

 |

 | [!] Title: WordPress Slider Revolution Local File Disclosure

 | Fixed in: 4.1.5

 | References:

 | - https://wpvulndb.com/vulnerabilities/7540

 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579

 | - https://www.exploit-db.com/exploits/34511/

 | - https://www.exploit-db.com/exploits/36039/

 | - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

 | - https://packetstormsecurity.com/files/129761/

 |

 | [!] Title: WordPress Slider Revolution Shell Upload

 | Fixed in: 3.0.96

 | References:

 | - https://wpvulndb.com/vulnerabilities/7954

 | - https://www.exploit-db.com/exploits/35385/

 | - https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

 | - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute

 |

 | Version: 2.3.9 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - https://www.shroffeyecentre.com/, Match: 'START REVOLUTION SLIDER 2.3.9'

[+] Enumerating Config Backups

 Checking Config Backups - Time: 00:00:05 (21 / 21) 100.00% Time: 00:00:05

  • En la salida anterior, después de escanear el sitio vulnerable, muestra el servidor que está siendo utilizado por el sitio vulnerable, WPScan muestra el tema de WordPress que usa el objetivo
  • Se muestran 2 vulnerabilidades que se pueden usar en un ataque de escalado de privilegios en el que un hacker puede obtener acceso al objetivo. Y el segundo es la divulgación de archivos locales que puede mostrar la ruta del archivo webroot
  • El escaneo anterior muestra la versión de WordPress. Muestra la descripción del sitio web objetivo que se puede utilizar en la fase inicial de recopilación de información

Utilizar a fondo

Teclee wpscan –url https://www.shroffeyecentre.com –verbose

root@kali:/home/iicybersecurity/wpscan# wpscan --url https://www.shroffeyecentre.com/ --verbose

[+] URL: https://www.shroffeyecentre.com

[+] Started: Sun Nov 11 13:21:08 2018

Interesting Finding(s):

[+] https://www.shroffeyecentre.com/

 | Interesting Entry: Server: nginx/1.14.1

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] https://www.shroffeyecentre.com/robots.txt

 | Found By: Robots Txt (Aggressive Detection)

 | Confidence: 100%




[+] https://www.shroffeyecentre.com/xmlrpc.php

 | Found By: Headers (Passive Detection)

 | Confidence: 60%

 | Confirmed By: Link Tag (Passive Detection), 30% confidence

 | References:

 | - https://codex.wordpress.org/XML-RPC_Pingback_API

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access




[+] https://www.shroffeyecentre.com/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




[+] This site has 'Must Use Plugins': https://www.shroffeyecentre.com/wp-content/mu-plugins/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 80%

 | Reference: https://codex.wordpress.org/Must_Use_Plugins




[+] Upload directory has listing enabled: https://www.shroffeyecentre.com/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%




[+] WordPress version 4.9.8 identified (Released on 2018-08-02).

 | Detected By: Rss Generator (Passive Detection)

 | - https://www.shroffeyecentre.com/feed/, https://wordpress.org/?v=4.9.8

 | - https://www.shroffeyecentre.com/comments/feed/, https://wordpress.org/?v=4.9.8

 | - https://www.shroffeyecentre.com/home/feed/, https://wordpress.org/?v=4.9.8




[+] WordPress theme in use: shroff

 | Location: https://www.shroffeyecentre.com/wp-content/themes/shroff/

 | Style URL: https://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18

 | Style Name: Twenty Thirteen

 | Style URI: https://wordpress.org/themes/twentythirteen

 | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each displayed beautifully in their own unique way. Design details abound, starting with a vibrant color scheme and matching header images, beautiful typography and icons, and a flexible layout that looks great on any device, big or small.

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 | License: GNU General Public License v2 or later

 | License URI: https://www.gnu.org/licenses/gpl-2.0.html

 | Tags: black, brown, orange, tan, white, yellow, light, one-column, two-columns, right-sidebar, fluid-layout, responsive-layout, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, translation-ready

 | Text Domain: twentythirteen

 |

 | Detected By: Css Style (Passive Detection)

 |

 | Version: 1.1 (80% confidence)

 | Detected By: Style (Passive Detection)

 | - https://www.shroffeyecentre.com/wp-content/themes/shroff/style.css?ver=2013-07-18, Match: 'Version: 1.1'




[+] Enumerating All Plugins

[+] Checking Plugin Versions




[i] Plugin(s) Identified:




[+] contact-form-7

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/

 | Last Updated: 2018-10-29T23:58:00.000Z

 | [!] The version is out of date, the latest version is 5.0.5

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | [!] 1 vulnerability identified:

 |

 | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation

 | Fixed in: 5.0.4

 | References:

 | - https://wpvulndb.com/vulnerabilities/9127

 | - https://contactform7.com/2018/09/04/contact-form-7-504/

 | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7

 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7

 |

 | Version: 3.7.2 (20% confidence)

 | Detected By: Query Parameter (Passive Detection)

 | - https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2

 | - https://www.shroffeyecentre.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2




[+] revslider

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/revslider/

 |

 | Detected By: Urls In Homepage (Passive Detection)

 | Confirmed By: Comment (Passive Detection)

 |

 | [!] 2 vulnerabilities identified:

 |

 | [!] Title: WordPress Slider Revolution Local File Disclosure

 | Fixed in: 4.1.5

 | References:

 | - https://wpvulndb.com/vulnerabilities/7540

 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579

 | - https://www.exploit-db.com/exploits/34511/

 | - https://www.exploit-db.com/exploits/36039/

 | - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

 | - https://packetstormsecurity.com/files/129761/

 |

 | [!] Title: WordPress Slider Revolution Shell Upload

 | Fixed in: 3.0.96

 | References:

 | - https://wpvulndb.com/vulnerabilities/7954

 | - https://www.exploit-db.com/exploits/35385/

 | - https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

 | - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute

 |

 | Version: 2.3.9 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - https://www.shroffeyecentre.com/, Match: 'START REVOLUTION SLIDER 2.3.9'




[+] taxonomy-images

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/taxonomy-images/

 | Latest Version: 0.9.6

 | Last Updated: 2017-02-16T08:55:00.000Z

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 | The version could not be determined.




[+] wordpress-seo

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/wordpress-seo/

 | Last Updated: 2018-11-06T09:26:00.000Z

 | [!] The version is out of date, the latest version is 9.1

 |

 | Detected By: Comment (Passive Detection)

 |

 | Version: 7.2 (60% confidence)

 | Detected By: Comment (Passive Detection)

 | - https://www.shroffeyecentre.com/, Match: 'optimized with the Yoast SEO plugin v7.2 -'




[+] wp-pagenavi

 | Location: https://www.shroffeyecentre.com/wp-content/plugins/wp-pagenavi/

 | Latest Version: 2.93

 | Last Updated: 2018-09-20T03:11:00.000Z

 |

 | Detected By: Urls In Homepage (Passive Detection)

 |

 

Después de usar el método detallado, WPScan muestra detalles en profundidad de los temas que se utilizan en el sitio web de destino. Muestra las vulnerabilidades en profundidad del objetivo en modo detallado.