- Introduction
There are numerous tools available when checking the security of the WordPress Content Management System (CMS). In the rest of the article we'll mention the WPScan tool, which does a great job of scanning the WordPress installation and its plugins for security vulnerabilities.
- WPScan
WPScan is a WordPress security scanner which can identify known security weaknesses in WordPress CMS systems. WPScan is written in Ruby and requires some dependencies, namely typhoeus, xml-simple, mime-types, nokogiri and json. To install dependencies we need to type in the following:
# gem install –user-install typhoeus # gem install –user-install xml-simple # gem install –user-install mime-types # gem install –user-install nokogiri # gem install –user-install json
The dependencies provide the functionality described next:
- typhoeus: allows running HTTP requests in parallel while cleanly encapsulating handling logic.
- xml-simple: simple API for XML processing.
- mime-types: allows identification of a file's likely MIME content type based on file's extensions.
- nokogiri: a HTML, XML, SAX and Reader parser. It also provides a feature to search documents via Xpath or CSS3 selectors.
- json: provides JSON parsing logic.
To install WPScan we need to type in the following:
# tar xvzf wpscanteam-wpscan-39d8cdd.tar.gz # cd wpscanteam-wpscan-39d8cdd
If we're using Backtrack Linux version 5, the WPScan is already installed and present in the directory /pentest/web/wpscan/.
The WPScan help page provides us with the following information:
# ruby wpscan.rb -h ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ Help : Some values are settable in conf/browser.conf.json : user-agent, proxy, threads, cache timeout and request timeout --update Update to the latest revision --url | -u <target url> The WordPress URL/domain to scan. --force | -f Forces WPScan to not check if the remote site is running WordPress. --enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write [] chars) p plugins p! only vulnerable plugins t timthumbs Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins If no option is supplied, the default is 'tup!' --follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not --wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed --wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed --proxy Supply a proxy in the format host:port (will override the one from conf/browser.conf.json) --wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute. --threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json) --username | -U <username> Only brute force the supplied username. --help | -h This help screen. --verbose | -v Verbose output.
I guess it's best to first run the –update command to make sure that we're using the latest version of WPScan:
# ruby wpscan.rb --update
2.1. WPScan features
In this subsection we'll describe the features of WPScan and the appropriate commands we need to run to invoke the desired functionality.
Wordpress Confirmation
This is the default behavior that is automatically being checked whenever we run the wpscan.rb script. If the target website isn't running WordPress there's no point to actually run a number of tests against it. To disable this feature we can use the --force option when running the wpscan.rb script, like this:
# ruby wpscan.rb --url resources.infosecinstitute.com --force
Username enumeration
We can enumerate users by using the following command:
# ruby wpscan.rb --url resources.infosecinstitute.com --enumerate u --threads 1 ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://resources.infosecinstitute.com | Started on Mon Aug 13 22:04:54 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress 'http://resources.infosecinstitute.com/readme.html' file exists [!] Full Path Disclosure (FPD) in 'http://resources.infosecinstitute.com/wp-includes/rss-functions.php' [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection ... 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating usernames ... We found the following 10 username/s : root keatron jack ddalasta Nick Valenteen Dan Hestad Tim Farley kenneth dinesh-mistry Jeremy Martin [+] Finished at Mon Aug 13 22:05:13 2012*
The WPScan found 10 usernames, namely: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin.
Weak password cracking
The command used to check the usernames against a wordlist of passwords is as follows:
# echo "admin" >> passwords.txt * # ruby wpscan.rb --url resources.infosecinstitute.com –enumerate u --wordlist passwords.txt --threads 50 ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://resources.infosecinstitute.com | Started on Mon Aug 13 21:56:32 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress 'http://resources.infosecinstitute.com/readme.html' file exists [!] Full Path Disclosure (FPD) in 'http://resources.infosecinstitute.com/wp-includes/rss-functions.php' [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection ... 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating usernames ... We found the following 10 username/s : root keatron jack ddalasta Nick Valenteen Dan Hestad Tim Farley kenneth dinesh-mistry Jeremy Martin [+] Starting the password brute forcer Brute forcing user 'Jeremy Martin' with 1 passwords... 100% complete.. [+] Finished at Mon Aug 13 21:57:01 2012*
We can see that the WPScan found 10 users: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin, and tried to login with the password admin we previously saved in the filename passwords.txt. This file is being used as an input file that specifies the passwords to be checked. We can also see that the scan was finished before a weak password was detected, which means the WordPress installation is secure as far as weak passwords are concerned.
Version enumeration
The command used to enumerate the version number of a WordPress installation is:
# ruby wpscan.rb --url resources.infosecinstitute.com --enumerate v --threads 1 ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://resources.infosecinstitute.com | Started on Mon Aug 13 22:06:44 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress 'http://resources.infosecinstitute.com/readme.html' file exists [!] Full Path Disclosure (FPD) in 'http://resources.infosecinstitute.com/wp-includes/rss-functions.php' [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection ... 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Finished at Mon Aug 13 22:06:55 2012* The scan completed and found WordPress version 3.4.1. *Plugin enumeration The command that can identify the presence or absence of WordPress plugins is presented here: # ruby wpscan.rb --url resources.infosecinstitute.com --enumerate p --threads 50 ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://resources.infosecinstitute.com | Started on Mon Aug 13 22:10:22 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress 'http://resources.infosecinstitute.com/readme.html' file exists [!] Full Path Disclosure (FPD) in 'http://resources.infosecinstitute.com/wp-includes/rss-functions.php' [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection ... 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating installed plugins ... Checking for 2864 total plugins... 100% complete. [+] We found 7 plugins: | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Directory listing enabled? Yes. | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ | Directory listing enabled? Yes. | Name: searchterms-tagging-2 | Location: http://resources.infosecinstitute.com/wp-content/plugins/searchterms-tagging-2/ | Directory listing enabled? Yes. | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/wp-content/plugins/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Directory listing enabled? Yes. | Name: wp-super-cache | Location: http://resources.infosecinstitute.com/wp-content/plugins/wp-super-cache/ | Directory listing enabled? Yes. | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/wp-content/plugins/syntaxhighlighter/ | Directory listing enabled? Yes. | Name: redirection | Location: http://resources.infosecinstitute.com/wp-content/plugins/redirection/ | Directory listing enabled? Yes. [+] Finished at Mon Aug 13 22:22:55 2012*
We can see that WPScan actually found 5 different plugins, namely upprev-nytimes-style-next-post-jquery-animated-fly-in-button, syntaxhighlighter, searchterms-tagging-2, wp-super-cache and redirection.
- Vulnerability enumeration
- Plugin vulnerability enumeration
2.2. The Timthumb Vulnerability
The WPScan also has an option to scan the entire wp-content directory for instances of any outdated and insecure version of the timthumb.php script, which enables us to load images from a predefined set of remote websites for resizing and serving. It provides a caching mechanism, so that WordPress doesn't have to constantly resize and reserve images. The cache directory is accessible by normal visitors from the Internet. The timthumb.php simply gets a remote file and places it in a root directory accessible to the word wide web. An attacker can persuade the WordPress CMS system to download a PHP shell into the DocumentRoot and access it via some web browser. This effectively gives an attacker a web shell, which he can use to cause further damage to the system.
To check whether the timthumb.php in the WordPress installation is vulnerable we need to input the following command:
# ruby wpscan.rb --url resources.infosecinstitute.com --enumerate t --threads 50 ____________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| v1.1r425 WordPress Security Scanner by the WPScan Team Sponsored by the RandomStorm Open Source Initiative _____________________________________________________ | URL: http://resources.infosecinstitute.com | Started on Mon Aug 13 22:32:07 2012 [!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2 [!] The WordPress 'http://resources.infosecinstitute.com/readme.html' file exists [!] Full Path Disclosure (FPD) in 'http://resources.infosecinstitute.com/wp-includes/rss-functions.php' [!] WordPress version 3.4.1 identified from meta generator [+] Enumerating plugins from passive detection ... 2 found : | Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button | Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/ | Name: syntaxhighlighter | Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/ [+] Enumerating timthumb files ... Checking for 2419 total timthumb files... 100% complete. No timthumb files found :( [+] Finished at Mon Aug 13 22:42:07 2012*
We can see that the WPScan didn't find any vulnerable timthumb files, which makes the WordPress installation secure.
There is also a WordPress plugin called Timthumb Vulnerability Scanner
Timthumb which can be used to basically do the same thing.
2.3. Exploit Scanner
Another WordPress plugin called Exploit Scanner is available to download and install. This plugin searches the files and database of our WordPress installation for signs that may indicate that the WordPress was hacked by malicious attackers.
2.4. BlindElephant
BlindElephant is a program that can fingerprint CMS systems. It can detect the CMS type and version and it can fingerprint plugins. The supported CMS systems are: Drupal, Joomla, Liferay, Mediawiki, Moodle, Movabletype, Oscommerce, Phpbb, Phpmyadmin, Phpnuke, Spip, Tikiwiki, Twiki and WordPress. We can see that WordPress is among the supported CMS systems. The command used to fingerprint the WordPress CMS system is the following:
# python BlindElephant.py resources.infosecinstitute.com wordpress
2.5. CMS Explorer
CMS Explorer is basically the same as BlindElephant, but it also supports a feature that is able to search for vulnerabilities on the OSVDB website. CMS Explorer supports only the following CMS systems: Drupal, Wordpress, Joomla and Mambo. The command used to fingerprint the WordPress CMS system is the following:
# perl cms-explorer.pl -url resources.infosecinstitute.com -explore -type wordpress -plugins -themes
- Conclusion
We've looked at WordPress enumeration and vulnerability scanning techniques. We've also seen that the WPScan tool can be used to find most vulnerabilities in an already running WordPress installation. We need to make sure that we're running the tool on a constant basis just to be sure that our WordPress installation is still secure.
Comments