There are numerous tools available when checking the security of the WordPress Content Management System (CMS). In the rest of the article we’ll mention the WPScan tool, which does a great job of scanning the WordPress installation and its plugins for security vulnerabilities. 2. WPScan WPScan is a WordPress security scanner which can identify known security weaknesses in WordPress CMS systems. WPScan is written in Ruby and requires some dependencies, namely typhoeus, xml-simple, mime-types, nokogiri and json. To install dependencies we need to type in the following:
gem install –user-install typhoeus
gem install –user-install xml-simple
gem install –user-install mime-types
gem install –user-install nokogiri
gem install –user-install json
The dependencies provide the functionality described next:
typhoeus: allows running HTTP requests in parallel while cleanly encapsulating handling logic. xml-simple: simple API for XML processing. mime-types: allows identification of a file’s likely MIME content type based on file’s extensions. nokogiri: a HTML, XML, SAX and Reader parser. It also provides a feature to search documents via Xpath or CSS3 selectors. json: provides JSON parsing logic.
To install WPScan we need to type in the following:
tar xvzf wpscanteam-wpscan-39d8cdd.tar.gz
cd wpscanteam-wpscan-39d8cdd
If we’re using Backtrack Linux version 5, the WPScan is already installed and present in the directory /pentest/web/wpscan/. The WPScan help page provides us with the following information:
ruby wpscan.rb -h
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
Help :
Some values are settable in conf/browser.conf.json :
user-agent, proxy, threads, cache timeout and request timeout
–update Update to the latest revision
–url | -u
ruby wpscan.rb –update
2.1. WPScan features In this subsection we’ll describe the features of WPScan and the appropriate commands we need to run to invoke the desired functionality. WordPress Confirmation This is the default behavior that is automatically being checked whenever we run the wpscan.rb script. If the target website isn’t running WordPress there’s no point to actually run a number of tests against it. To disable this feature we can use the –force option when running the wpscan.rb script, like this:
ruby wpscan.rb –url resources.infosecinstitute.com –force
Username enumeration We can enumerate users by using the following command:
ruby wpscan.rb –url resources.infosecinstitute.com –enumerate u –threads 1
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
| URL: https://resources.infosecinstitute.com | Started on Mon Aug 13 22:04:54 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress ‘https://resources.infosecinstitute.com/readme.html’ file exists [!] Full Path Disclosure (FPD) in ‘https://resources.infosecinstitute.com/wp-includes/rss-functions.php’ [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection … 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating usernames … We found the following 10 username/s : root keatron jack ddalasta Nick Valenteen Dan Hestad Tim Farley kenneth dinesh-mistry Jeremy Martin [+] Finished at Mon Aug 13 22:05:13 2012 The WPScan found 10 usernames, namely: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin. Weak password cracking The command used to check the usernames against a wordlist of passwords is as follows:
echo “admin” » passwords.txt
ruby wpscan.rb –url resources.infosecinstitute.com –enumerate u –wordlist passwords.txt –threads 50
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
| URL: https://resources.infosecinstitute.com | Started on Mon Aug 13 21:56:32 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress ‘https://resources.infosecinstitute.com/readme.html’ file exists [!] Full Path Disclosure (FPD) in ‘https://resources.infosecinstitute.com/wp-includes/rss-functions.php’ [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection … 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating usernames … We found the following 10 username/s : root keatron jack ddalasta Nick Valenteen Dan Hestad Tim Farley kenneth dinesh-mistry Jeremy Martin [+] Starting the password brute forcer Brute forcing user ‘Jeremy Martin’ with 1 passwords… 100% complete.. [+] Finished at Mon Aug 13 21:57:01 2012 We can see that the WPScan found 10 users: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin, and tried to login with the password admin we previously saved in the filename passwords.txt. This file is being used as an input file that specifies the passwords to be checked. We can also see that the scan was finished before a weak password was detected, which means the WordPress installation is secure as far as weak passwords are concerned. Version enumeration The command used to enumerate the version number of a WordPress installation is:
ruby wpscan.rb –url resources.infosecinstitute.com –enumerate v –threads 1
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
| URL: https://resources.infosecinstitute.com | Started on Mon Aug 13 22:06:44 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress ‘https://resources.infosecinstitute.com/readme.html’ file exists [!] Full Path Disclosure (FPD) in ‘https://resources.infosecinstitute.com/wp-includes/rss-functions.php’ [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection … 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Finished at Mon Aug 13 22:06:55 2012 The scan completed and found WordPress version 3.4.1. Plugin enumeration The command that can identify the presence or absence of WordPress plugins is presented here:
ruby wpscan.rb –url resources.infosecinstitute.com –enumerate p –threads 50
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
| URL: https://resources.infosecinstitute.com | Started on Mon Aug 13 22:10:22 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress ‘https://resources.infosecinstitute.com/readme.html’ file exists [!] Full Path Disclosure (FPD) in ‘https://resources.infosecinstitute.com/wp-includes/rss-functions.php’ [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection … 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating installed plugins … Checking for 2864 total plugins… 100% complete. [+] We found 7 plugins: | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Directory listing enabled? Yes. | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ | Directory listing enabled? Yes. | Name: searchterms-tagging-2 | Location: https://resources.infosecinstitute.com/wp-content/plugins/searchterms-tagging-2/ | Directory listing enabled? Yes. | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/wp-content/plugins/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Directory listing enabled? Yes. | Name: wp-super-cache | Location: https://resources.infosecinstitute.com/wp-content/plugins/wp-super-cache/ | Directory listing enabled? Yes. | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/wp-content/plugins/syntaxhighlighter/ | Directory listing enabled? Yes. | Name: redirection | Location: https://resources.infosecinstitute.com/wp-content/plugins/redirection/ | Directory listing enabled? Yes. [+] Finished at Mon Aug 13 22:22:55 2012 We can see that WPScan actually found 5 different plugins, namely upprev-nytimes-style-next-post-jquery-animated-fly-in-button, syntaxhighlighter, searchterms-tagging-2, wp-super-cache and redirection.
Vulnerability enumeration Plugin vulnerability enumeration
2.2. The Timthumb Vulnerability The WPScan also has an option to scan the entire wp-content directory for instances of any outdated and insecure version of the timthumb.php script, which enables us to load images from a predefined set of remote websites for resizing and serving. It provides a caching mechanism, so that WordPress doesn’t have to constantly resize and reserve images. The cache directory is accessible by normal visitors from the Internet. The timthumb.php simply gets a remote file and places it in a root directory accessible to the word wide web. An attacker can persuade the WordPress CMS system to download a PHP shell into the DocumentRoot and access it via some web browser. This effectively gives an attacker a web shell, which he can use to cause further damage to the system. To check whether the timthumb.php in the WordPress installation is vulnerable we need to input the following command:
ruby wpscan.rb –url resources.infosecinstitute.com –enumerate t –threads 50
/ / __ / _| / / /| |) | ( ___ __ _ _ __ / / / | / ___ / |/ ` | ‘ / / | | ____) | (| (| | | | | / / || |____/ |,|| || v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative
| URL: https://resources.infosecinstitute.com | Started on Mon Aug 13 22:32:07 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress ‘https://resources.infosecinstitute.com/readme.html’ file exists [!] Full Path Disclosure (FPD) in ‘https://resources.infosecinstitute.com/wp-includes/rss-functions.php’ [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection … 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: https://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: https://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating timthumb files … Checking for 2419 total timthumb files… 100% complete. No timthumb files found 🙁 [+] Finished at Mon Aug 13 22:42:07 2012 We can see that the WPScan didn’t find any vulnerable timthumb files, which makes the WordPress installation secure. There is also a WordPress plugin called Timthumb Vulnerability Scanner accessible at Timthumb which can be used to basically do the same thing. 2.3. Exploit Scanner Another WordPress plugin called Exploit Scanner is available to download and install. This plugin searches the files and database of our WordPress installation for signs that may indicate that the WordPress was hacked by malicious attackers. 2.4. BlindElephant BlindElephant is a program that can fingerprint CMS systems. It can detect the CMS type and version and it can fingerprint plugins. The supported CMS systems are: Drupal, Joomla, Liferay, Mediawiki, Moodle, Movabletype, Oscommerce, Phpbb, Phpmyadmin, Phpnuke, Spip, Tikiwiki, Twiki and WordPress. We can see that WordPress is among the supported CMS systems. The command used to fingerprint the WordPress CMS system is the following:
python BlindElephant.py resources.infosecinstitute.com wordpress
2.5. CMS Explorer CMS Explorer is basically the same as BlindElephant, but it also supports a feature that is able to search for vulnerabilities on the OSVDB website. CMS Explorer supports only the following CMS systems: Drupal, WordPress, Joomla and Mambo. The command used to fingerprint the WordPress CMS system is the following:
perl cms-explorer.pl -url resources.infosecinstitute.com -explore -type wordpress -plugins -themes
- Conclusion We’ve looked at WordPress enumeration and vulnerability scanning techniques. We’ve also seen that the WPScan tool can be used to find most vulnerabilities in an already running WordPress installation. We need to make sure that we’re running the tool on a constant basis just to be sure that our WordPress installation is still secure.
