Skip to main content

WPScan - WordPress Security Scanner

https://wpscan.com/wordpress-security-scanner

Source code on GitHub: https://github.com/wpscanteam/wpscan

# wpscan --url http://127.0.0.1:8080
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.14
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://127.0.0.1:8080/ [127.0.0.1]
[+] Started: Sat Mar 13 09:41:21 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://127.0.0.1:8080/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://127.0.0.1:8080/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://127.0.0.1:8080/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.5 identified (Insecure, released on 2018-04-03).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://127.0.0.1:8080/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.5'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://127.0.0.1:8080/, Match: 'WordPress 4.9.5'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <===========================================> (22 / 22) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Mar 13 09:41:32 2021
[+] Requests Done: 47
[+] Cached Requests: 4
[+] Data Sent: 11.353 KB
[+] Data Received: 122.766 KB
[+] Memory used: 193.074 MB
[+] Elapsed time: 00:00:11
#

Brute force password

wpscan --url http://10.10.87.140/wordpress -U elyana -P pass2.txt
...
[!] Valid Combinations Found:
 | Username: elyana, Password: H@ckme@123
...

Practice

>>> THM | Cyber Scotland 2021

>>> THM | Badbyte

>>> THM | Wekor

>>> THM | Internal

>>> THM | Different CTF

Labels:

Popular posts from this blog

IIS: Delete cached files on server running IIS

Delete cached files on server running IIS When changing css, javascript files, check to delete if IIS still caches old files in the default folder C:\inetpub\temp\IIS Temporary Compressed Files\<sitename>\$^_gzip_D^\ Apply to: IIS 8.5
Read more

Linux command: du - disk usage

Where have all my storage gone? du summarize disk usage of the set of FILEs, recursively for directories.
Read more

ManageEngine ServiceDesk Plus - Reset password

Let's reset the default administrator's password to 'admin'
Read more