WPScan – Black Box WordPress Vulnerability Scanner

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

Wpscan Installation

Prerequisites

  • (Optional but highly recommended: RVM)
  • Ruby >= 2.3 – Recommended: latest
    • Ruby 2.5.0 to 2.5.3 can cause an ‘undefined symbol: rmpd_util_str_to_d’ error in some systems, see #1283
  • Curl >= 7.21 – Recommended: latest
    • The 7.29 has a segfault
  • RubyGems – Recommended: latest

From RubyGems (Recommended)

gem install wpscan

On MacOSX, if a Gem::FilePermissionError is raised due to the Apple’s System Integrity Protection (SIP), either install RVM and install it again, or run sudo gem install -n /usr/local/bin wpscan

From sources (NOT Recommended)

Prerequisites: Git

git clone https://github.com/wpscanteam/wpscan
cd wpscan/
bundle install && rake install

Updating

You can update the local database by using wpscan --update

Updating itself is either done via gem update wpscan or the packages manager (this is quite important for distributions such as in Kali Linux: apt-get update && apt-get upgrade) depending how it was (pre)installed.

Docker

Pull the repo with docker pull wpscanteam/wpscan

Enumerating usernames

docker run -it –rm wpscanteam/wpscan –url https://target.tld/ –enumerate ua

Enumerating a range of usernames

docker run -it –rm wpscanteam/wpscan –url https://target.tld/ –enumerate u1-100

** replace u1-100 with a range of your choice.

Also read: CMSeeK - CMS Detection and Exploitation Tool 

Wpscan Usage

wpscan –url blog.tld

This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively).

Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then wpscan –stealthy –url blog.tld can be used. As a result, when using the –enumerate option, don’t forget to set the –plugins-detection accordingly, as its default is ‘passive’.

For more options, open a terminal and type wpscan –help (if you built wpscan from the source, you should type the command outside of the git repo)

The DB is located at ~/.wpscan/db

It can load all options (including the –url) from configuration files, the following locations are checked (order: first to last):

  • ~/.wpscan/cli_options.json
  • ~/.wpscan/cli_options.yml
  • pwd/.wpscan/cli_options.json
  • pwd/.wpscan/cli_options.yml

If those files exist, options from them will be loaded and overridden if found twice.

e.g:

~/.wpscan/cli_options.yml:

proxy: ‘http://127.0.0.1:8080’
verbose: true

pwd/.wpscan/cli_options.yml:

proxy: ‘socks5://127.0.0.1:9090’
url: ‘http://target.tld’

Running wpscan in the current directory (pwd), is the same as wpscan -v –proxy socks5://127.0.0.1:9090 –url http://target.tld

Enumerating usernames

wpscan –url https://target.tld/ –enumerate u

Enumerating a range of usernames

wpscan –url https://target.tld/ –enumerate u1-100

** replace u1-100 with a range of your choice.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *