![\"\"](\"http:\/\/blog.wenzlaff.de\/wp-content\/uploads\/2021\/09\/wpscan.png\")
<\/p>\n<\/p>\n
Millionen von Websites werden mit WordPress betrieben und belegen mit ca. 62% des Marktanteils in der CMS-Welt die Nummer eins. Vor 6 Jahren hatte ich hier<\/a> schon mal berichtet, wie WPScan<\/a> mit Kali Linux genutzt werden kann. Dort ist es schon vorinstalliert. Aber man kann es auch auf einem Debian Linux auf einen Raspberry Pi installieren und laufen lassen. <\/p>\n Hier mal ein Beispiel auf einem Pi Zero. Es gibt kein Package f\u00fcr wpscan. Aber es l\u00e4uft unter Ruby, und das kann man leicht installieren.<\/p>\n Also wer ein WordPress am laufen hat, k\u00f6nnte seine eigene (und nur die!) Installation auf L\u00fccken \u00fcberpr\u00fcfen, und nicht nur das. WPScan ist eine kostenlose<\/strong> Software, mit der die sicherheitsrelevanten Probleme auf einer WordPress-Site identifiziert werden k\u00f6nnen. WPScan kann ua.:<\/p>\n Die Installation kann in ca. 1 Stunde wie folgt durchgef\u00fchrt werden:<\/p>\n <\/p>\n Ergebnis:<\/p>\n Dann mal ein erster Scann:<\/p>\n wpscan –url http(s):\/\/EIGENE.DOMAINE -e<\/strong><\/p>\n Das kann dann einige Minuten dauern (in diesem Fall 5 Minuten), bis alle Checks durch sind, hier mal ein paar Ausz\u00fcge:<\/p>\n Wer nur die Plugins \u00fcberpr\u00fcfen will, kann auch schnell (1-2 Minuten) den Parameter -e vp<\/strong> (Vulnerable plugins) aufrufen:<\/p>\n wpscan –url http(s):\/\/EIGENE.DOMAINE -e vp<\/strong><\/p>\n Weitere Infos in engl. gibt es im Handbuch<\/a> oder hier<\/a> und auch eine DB mit Fehlerbeschreibung. Dazu muss ein Api-Key<\/a> auf erstellt werden. F\u00fcr 25 Aufrufe ist das kostenlose. Wer es braucht … Und es gibt auch ein WPScan-Plugin. Wer es braucht …<\/p>\n","protected":false},"excerpt":{"rendered":" Millionen von Websites werden mit WordPress betrieben und belegen mit ca. 62% des Marktanteils in der CMS-Welt die Nummer eins. Vor 6 Jahren hatte ich hier schon mal berichtet, wie WPScan mit Kali Linux genutzt werden kann. Dort ist es schon vorinstalliert. Aber man kann es auch auf einem Debian Linux auf einen Raspberry Pi … <\/p>\n\n
\r\n\r\nsudo apt update\r\nsudo apt upgrade\r\n\/\/ alle n\u00f6tigen Abh\u00e4ngigkeiten und ruby installieren\r\nsudo apt install build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev libgmp-dev zlib1g-dev ruby\r\n\r\n\/\/ mit gem wpscann installieren\r\nsudo gem install wpscan\r\n\r\n\/\/ und noch ein update, um die aktuellste Version 3.8.18 zu erhalten\r\nwpscan --update\r\n\r\n\/\/ check, ausgeben aller Befehle:\r\nwpscan --help\r\n<\/pre>\n
\r\n_______________________________________________________________\r\n __ _______ _____\r\n \\ \\ \/ \/ __ \\ \/ ____|\r\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\r\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\r\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\r\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\r\n\r\n WordPress Security Scanner by the WPScan Team\r\n Version 3.8.18\r\n Sponsored by Automattic - https:\/\/automattic.com\/\r\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\r\n_______________________________________________________________\r\n\r\nUsage: wpscan [options]\r\n --url URL The URL of the blog to scan\r\n Allowed Protocols: http, https\r\n Default Protocol if none provided: http\r\n This option is mandatory unless update or help or hh or version is\/are supplied\r\n -h, --help Display the simple help and exit\r\n --hh Display the full help and exit\r\n --version Display the version and exit\r\n --ignore-main-redirect Ignore the main redirect (if any) and scan the target url\r\n -v, --verbose Verbose mode\r\n --[no-]banner Whether or not to display the banner\r\n Default: true\r\n --max-scan-duration SECONDS Abort the scan if it exceeds the time provided in seconds\r\n -o, --output FILE Output to FILE\r\n -f, --format FORMAT Output results in the format supplied\r\n Available choices: cli-no-color, cli, json, cli-no-colour\r\n --detection-mode MODE Default: mixed\r\n Available choices: mixed, passive, aggressive\r\n --scope DOMAINS Comma separated (sub-)domains to consider in scope.\r\n Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld\r\n Separator to use between the values: ','\r\n --user-agent, --ua VALUE\r\n --headers HEADERS Additional headers to append in requests\r\n Separator to use between the headers: '; '\r\n Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa'\r\n --vhost VALUE The virtual host (Host header) to use in requests\r\n --random-user-agent, --rua Use a random user-agent for each scan\r\n --user-agents-list FILE-PATH List of agents to use with --random-user-agent\r\n Default: \/var\/lib\/gems\/2.5.0\/gems\/cms_scanner-0.13.5\/app\/user_agents.txt\r\n --http-auth login:password\r\n -t, --max-threads VALUE The max threads to use\r\n Default: 5\r\n --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.\r\n --request-timeout SECONDS The request timeout in seconds\r\n Default: 60\r\n --connect-timeout SECONDS The connection timeout in seconds\r\n Default: 30\r\n --disable-tls-checks Disables SSL\/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)\r\n --proxy protocol:\/\/IP:port Supported protocols depend on the cURL installed\r\n --proxy-auth login:password\r\n --cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]\r\n --cookie-jar FILE-PATH File to read and write cookies\r\n Default: \/tmp\/wpscan\/cookie_jar.txt\r\n --cache-ttl TIME_TO_LIVE The cache time to live in seconds\r\n Default: 600\r\n --clear-cache Clear the cache before the scan\r\n --cache-dir PATH Default: \/tmp\/wpscan\/cache\r\n --server SERVER Force the supplied server module to be loaded\r\n Available choices: apache, iis, nginx\r\n --force Do not check if the target is running WordPress or returns a 403\r\n --[no-]update Whether or not to update the Database\r\n --api-token TOKEN The WPScan API Token to display vulnerability data, available at https:\/\/wpscan.com\/profile\r\n --wp-content-dir DIR The wp-content directory if custom or not detected, such as \"wp-content\"\r\n --wp-plugins-dir DIR The plugins directory if custom or not detected, such as \"wp-content\/plugins\"\r\n --interesting-findings-detection MODE Use the supplied mode for the interesting findings detection.\r\n Available choices: mixed, passive, aggressive\r\n --wp-version-all Check all the version locations\r\n --wp-version-detection MODE Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --main-theme-detection MODE Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n -e, --enumerate [OPTS] Enumeration Process\r\n Available Choices:\r\n vp Vulnerable plugins\r\n ap All plugins\r\n p Popular plugins\r\n vt Vulnerable themes\r\n at All themes\r\n t Popular themes\r\n tt Timthumbs\r\n cb Config backups\r\n dbe Db exports\r\n u User IDs range. e.g: u1-5\r\n Range separator to use: '-'\r\n Value if no argument supplied: 1-10\r\n m Media IDs range. e.g m1-15\r\n Note: Permalink setting must be set to \"Plain\" for those to be detected\r\n Range separator to use: '-'\r\n Value if no argument supplied: 1-100\r\n Separator to use between the values: ','\r\n Default: All Plugins, Config Backups\r\n Value if no argument supplied: vp,vt,tt,cb,dbe,u,m\r\n Incompatible choices (only one of each group\/s can be used):\r\n - vp, ap, p\r\n - vt, at, t\r\n --exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.\r\n Both the headers and body are checked. Regexp delimiters are not required.\r\n --plugins-list LIST List of plugins to enumerate\r\n Examples: 'a1', 'a1,a2,a3', '\/tmp\/a.txt'\r\n --plugins-detection MODE Use the supplied mode to enumerate Plugins.\r\n Default: passive\r\n Available choices: mixed, passive, aggressive\r\n --plugins-version-all Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection)\r\n --plugins-version-detection MODE Use the supplied mode to check plugins' versions.\r\n Default: mixed\r\n Available choices: mixed, passive, aggressive\r\n --plugins-threshold THRESHOLD Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold.\r\n Default: 100\r\n --themes-list LIST List of themes to enumerate\r\n Examples: 'a1', 'a1,a2,a3', '\/tmp\/a.txt'\r\n --themes-detection MODE Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --themes-version-all Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection)\r\n --themes-version-detection MODE Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes.\r\n Available choices: mixed, passive, aggressive\r\n --themes-threshold THRESHOLD Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold.\r\n Default: 20\r\n --timthumbs-list FILE-PATH List of timthumbs' location to use\r\n Default: \/home\/pi\/.wpscan\/db\/timthumbs-v3.txt\r\n --timthumbs-detection MODE Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --config-backups-list FILE-PATH List of config backups' filenames to use\r\n Default: \/home\/pi\/.wpscan\/db\/config_backups.txt\r\n --config-backups-detection MODE Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --db-exports-list FILE-PATH List of DB exports' paths to use\r\n Default: \/home\/pi\/.wpscan\/db\/db_exports.txt\r\n --db-exports-detection MODE Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --medias-detection MODE Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --users-list LIST List of users to check during the users enumeration from the Login Error Messages\r\n Examples: 'a1', 'a1,a2,a3', '\/tmp\/a.txt'\r\n --users-detection MODE Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode.\r\n Available choices: mixed, passive, aggressive\r\n --exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp\/string (case insensitive). Regexp delimiters are not required.\r\n -P, --passwords FILE-PATH List of passwords to use during the password attack.\r\n If no --username\/s option supplied, user enumeration will be run.\r\n -U, --usernames LIST List of usernames to use during the password attack.\r\n Examples: 'a1', 'a1,a2,a3', '\/tmp\/a.txt'\r\n --multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall\r\n Default: 500\r\n --password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.\r\n Available choices: wp-login, xmlrpc, xmlrpc-multicall\r\n --login-uri URI The URI of the login page if different from \/wp-login.php\r\n --stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive\r\n\r\n<\/pre>\n
...\r\n\r\nInteresting Finding(s):\r\n\r\n[+] Headers\r\n | Interesting Entries:\r\n | - Server: Apache\/2.4.48 (Unix)\r\n | - X-Powered-By: PHP\/7.4.22\r\n | - WPO-Cache-Status: cached\r\n | Found By: Headers (Passive Detection)\r\n | Confidence: 100%\r\n\r\n\/\/ man bekommt die Server und PHP Version\r\n\r\n...\r\n\r\n[+] WordPress version 5.8.1 identified (Latest, released on 2021-09-09).\r\n | Found By: Emoji Settings (Passive Detection)\r\n | - http:\/\/wenzlaff.info\/, Match: 'wp-includes\\\/js\\\/wp-emoji-release.min.js?ver=5.8.1'\r\n | Confirmed By: Meta Generator (Passive Detection)\r\n | - http:\/\/..\/, Match: 'WordPress 5.8.1'\r\n\r\n\/\/ man bekommt die WP Version ...\r\n\r\n[+] Enumerating Vulnerable Plugins (via Passive Methods)\r\n\r\n[i] No plugins Found.\r\n\r\n[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)\r\n Checking Known Locations - Time: 00:00:10 <===================================================================================================> (357 \/ 357) 100.00% Time: 00:00:10\r\n\r\n[i] No themes Found.\r\n\r\n[+] Enumerating Timthumbs (via Passive and Aggressive Methods)\r\n Checking Known Locations - Time: 00:01:05 <===================================================================================== > (2253 \/ 2568) 87.73% ETA: 00:00:\r\n\r\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\r\n Checking Config Backups - Time: 00:00:06 <====================================================================================================> (137 \/ 137) 100.00% Time: 00:00:06\r\n\r\n[i] No Config Backups Found.\r\n\r\n[+] Enumerating DB Exports (via Passive and Aggressive Methods)\r\n Checking DB Exports - Time: 00:00:02 <==========================================================================================================> (71 \/ 71) 100.00% Time: 00:00:02\r\n\r\n[i] No DB Exports Found.\r\n\r\n[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to \"Plain\" for those to be detected)\r\n Brute Forcing Attachment IDs - Time: 00:00:22 <===============================================================================================> (100 \/ 100) 100.00% Time: 00:00:22\r\n\r\n[i] No Medias Found.\r\n\r\n[+] Enumerating Users (via Passive and Aggressive Methods)\r\n...\r\n\r\n[+] Finished: ...\r\n[+] Requests Done: 3314\r\n[+] Cached Requests: 34\r\n[+] Data Sent: 923.226 KB\r\n[+] Data Received: 9.917 MB\r\n[+] Memory used: 223 MB\r\n[+] Elapsed time: 00:05:39\r\n<\/pre>\n