2017-02-18 22:31:11 +00:00
|
|
|
|
# Wordpresscan
|
2018-07-29 16:58:46 +00:00
|
|
|
|
A simple Wordpress scanner written in python based on the work of WPScan (Ruby version), some features are inspired by WPSeku.
|
2017-02-18 22:31:11 +00:00
|
|
|
|
|
2017-02-25 00:36:59 +00:00
|
|
|
|
## Disclaimer
|
|
|
|
|
```
|
2018-07-29 16:58:46 +00:00
|
|
|
|
The authors of this github are not responsible for misuse or for any damage that you may cause!
|
2017-02-25 00:36:59 +00:00
|
|
|
|
You agree that you use this software at your own risk.
|
|
|
|
|
```
|
|
|
|
|
|
2017-02-25 22:48:28 +00:00
|
|
|
|
|
2017-02-18 22:31:11 +00:00
|
|
|
|
## Install & Launch
|
2017-03-03 13:24:07 +00:00
|
|
|
|
|
2017-03-03 13:25:06 +00:00
|
|
|
|
Install
|
2017-02-23 11:00:48 +00:00
|
|
|
|
```bash
|
2017-02-18 22:31:11 +00:00
|
|
|
|
git clone https://github.com/swisskyrepo/Wordpresscan.git
|
|
|
|
|
cd Wordpresscan
|
2017-06-10 18:58:40 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-10-14 21:44:10 +00:00
|
|
|
|
Virtualenv
|
2018-07-29 16:58:46 +00:00
|
|
|
|
```bash
|
2017-10-14 21:44:10 +00:00
|
|
|
|
virtualenv .venv -p /usr/bin/python2.7
|
|
|
|
|
source .venv/bin/activate
|
|
|
|
|
pip install -r requirements.txt
|
|
|
|
|
```
|
|
|
|
|
|
2018-07-29 16:58:46 +00:00
|
|
|
|
## Examples
|
|
|
|
|
### Example 1 : Basic update and scan of a wordpress
|
2018-07-29 17:29:18 +00:00
|
|
|
|
```powershell
|
2019-04-11 08:32:12 +00:00
|
|
|
|
python wordpresscan.py -u "http://localhost/wordpress" --update --random-agent
|
2017-03-03 13:27:54 +00:00
|
|
|
|
|
2017-02-27 14:50:11 +00:00
|
|
|
|
-u : Url of the WordPress
|
|
|
|
|
--update : Update the wpscan database
|
|
|
|
|
--aggressive : Launch an aggressive version to scan for plugins/themes
|
2017-03-05 15:58:15 +00:00
|
|
|
|
--random-agent : Use a random user-agent for this session
|
2017-02-25 00:36:59 +00:00
|
|
|
|
```
|
|
|
|
|
|
2018-07-29 16:58:46 +00:00
|
|
|
|
### Example 2 : Basic bruteforce (option --brute, option --nocheck)
|
2017-10-14 20:13:29 +00:00
|
|
|
|
* bruteforce customs usernames
|
2018-07-29 17:29:18 +00:00
|
|
|
|
```powershell
|
2019-04-11 08:32:12 +00:00
|
|
|
|
python wordpresscan.py -u "http://127.0.0.1/wordpress/" --brute --usernames "admin,guest" --passwords-list fuzz/wordlist.lst
|
2017-10-14 20:13:29 +00:00
|
|
|
|
```
|
|
|
|
|
* bruteforce with usernames list
|
2018-07-29 17:29:18 +00:00
|
|
|
|
```powershell
|
2019-04-11 08:32:12 +00:00
|
|
|
|
python wordpresscan.py -u "http://127.0.0.1/wordpress/" --brute --users-list fuzz/wordlist.lst --passwords-list fuzz/wordlist.lst
|
2017-10-14 20:13:29 +00:00
|
|
|
|
```
|
|
|
|
|
* bruteforce detected users
|
|
|
|
|
```
|
2019-04-11 08:32:12 +00:00
|
|
|
|
python wordpresscan.py -u "http://127.0.0.1/wordpress/" --brute --passwords-list fuzz/wordlist.lst
|
2017-06-10 18:58:40 +00:00
|
|
|
|
```
|
2017-06-11 12:38:46 +00:00
|
|
|
|
|
|
|
|
|
|
2018-07-29 17:29:18 +00:00
|
|
|
|
```powershell
|
2017-06-11 12:38:46 +00:00
|
|
|
|
╭─ 👻 swissky@crashlab: ~/Github/Wordpresscan ‹master*›
|
2017-10-14 20:18:39 +00:00
|
|
|
|
╰─$ python main.py -u "http://127.0.0.1/wordpress/" --brute --users-list fuzz/wordlist.lst --passwords-list fuzz/wordlist.lst --nocheck
|
2017-06-11 12:38:46 +00:00
|
|
|
|
_______________________________________________________________
|
|
|
|
|
_ _ _
|
|
|
|
|
| | | | | |
|
|
|
|
|
| | | | ___ _ __ __| |_ __ _ __ ___ ___ ___ ___ __ _ _ __
|
|
|
|
|
| |/\| |/ _ \| '__/ _` | '_ \| '__/ _ \/ __/ __|/ __/ _` | '_ \
|
|
|
|
|
\ /\ / (_) | | | (_| | |_) | | | __/\__ \__ \ (_| (_| | | | |
|
|
|
|
|
\/ \/ \___/|_| \__,_| .__/|_| \___||___/___/\___\__,_|_| |_|
|
|
|
|
|
| |
|
|
|
|
|
|_|
|
|
|
|
|
WordPress scanner based on wpscan work - @pentest_swissky
|
|
|
|
|
_______________________________________________________________
|
|
|
|
|
[+] URL: http://127.0.0.1/wordpress/
|
|
|
|
|
|
|
|
|
|
[!] The Wordpress 'http://127.0.0.1/wordpress/readme.html' file exposing a version number: 4.4.7
|
|
|
|
|
[i] Uploads directory has directory listing enabled : http://127.0.0.1/wordpress/wp-content/uploads/
|
|
|
|
|
[i] Includes directory has directory listing enabled : http://127.0.0.1/wordpress/wp-includes/
|
|
|
|
|
|
|
|
|
|
[i] Bruteforcing all users
|
|
|
|
|
[+] User found admin
|
|
|
|
|
[+] Starting passwords bruteforce for admin
|
|
|
|
|
Bruteforcing - ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
|
2017-06-10 18:58:40 +00:00
|
|
|
|
```
|
|
|
|
|
|
2018-07-29 16:58:46 +00:00
|
|
|
|
### Example 3 : Thinking is overrated, this is aggressive, mostly not advised!
|
2018-07-29 17:29:18 +00:00
|
|
|
|
```powershell
|
2019-04-11 08:32:12 +00:00
|
|
|
|
python wordpresscan.py -u "http://127.0.0.1/wordpress/" --fuzz
|
2017-06-10 18:58:40 +00:00
|
|
|
|
|
|
|
|
|
[i] Enumerating components from aggressive fuzzing ...
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/license.txt - found
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/readme.html - found
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/wp-admin/admin-footer.php - found
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/wp-admin/css/ - found
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/wp-admin/admin-ajax.php - found
|
|
|
|
|
[i] File: http://127.0.0.1/wordpress/wp-activate.php - found
|
|
|
|
|
--fuzz : Will fuzz the website in order to detect as much file, themes and plugins as possible
|
|
|
|
|
```
|
|
|
|
|
|
2017-02-25 22:54:00 +00:00
|
|
|
|
## Output example from a test environment
|
|
|
|
|
![alt tag](https://github.com/swisskyrepo/Wordpresscan/blob/master/screens/Version%204.4.7.png?raw=true)
|
|
|
|
|
|
2018-07-29 16:58:46 +00:00
|
|
|
|
## Deploy a test environment
|
|
|
|
|
```bash
|
|
|
|
|
docker-compose -f wordpress_compose.yml up -d
|
|
|
|
|
```
|
|
|
|
|
To enable `wp-json` api you need to change "Permalink" to anything but "simple" in the settings.
|
2017-02-25 22:54:00 +00:00
|
|
|
|
|
2017-08-31 11:57:05 +00:00
|
|
|
|
## Credits and Contributors
|
2017-06-10 18:58:40 +00:00
|
|
|
|
* Original idea and script from [WPScan Team](https://wpscan.org/)
|
2017-07-30 15:51:40 +00:00
|
|
|
|
* Many PR and bugfixes from [bl4de](https://github.com/bl4de)
|