WordPress is one of most fav CMS. There are so many people using this CMS because it’s easy, simple and can be tweaked more. But there are some vulnerabilities comes with wordpress through its plugins, theme etc. Remember the vulnerable not comes just from weak software management, but also weak Password/authentification.
So there are WPScan. What is WPScan?
WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach.
This project is sponsored by the RandomStorm Open Source Initiative.
Some key of features :
- Username enumeration (from author querystring and location header)
- Weak password cracking (multithreaded)
- Version enumeration (from generator meta tag and from client side files)
- Vulnerability enumeration (based on version)
- Plugin enumeration (2220 most popular by default)
- Plugin vulnerability enumeration (based on version)
- Plugin enumeration list generation
- Other misc WordPress checks (theme name, dir listing, …)
Even WPScan comes in Backtrack 5R1 by default, we could install on almost Unix/Linux distro.
WPScan can be downloaded from its Google Code project’s page, but i think installing from SVN is more ‘uptodate’.
Software requirement/dependencies :
- ruby (comes by default in most unix distro, i think :p )
- subversion (for svn-ing)
- some ruby packages : thypoeus and xml-simple
Install dependencies (for debian and debian based)
- sudo apt-get install libcurl4-gnutls-dev
- sudo apt-get install libopenssl-ruby
- sudo gem install typhoeus
- sudo gem install xml-simple
for Ubuntu 12.04, install ruby-nokogiri (credit goes to realloc )
- sudo apt-get install ruby-nokogiri
To install from read-only SVN :
svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only
After get source through SVN amd also deps, we could use it just dot slash it
Some quick usage
For basic enumeration:
./wpscan.rb --url http://www.example.com
For plugin enumeration:
./wpscan.rb --url http://www.example.com --enumerate p
./wpscan.rb --url http://www.example.com --wordlist wordlist.lst --username admin
Code aboves explain that http://www.exampe.com is being brute-forcing by admin as username and using password from wordlist.lst as wordlist/dictionary