lunes, 8 de febrero de 2016

Comandos importantes en WPScan

Actualización de las bases de datos

root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --update
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.


Escaneo genérico de vulnerabilidades

Con el siguiente comando podemos sacar un listado genérico de las vulnerabilidades que tiene el WordPress que estamos auditando. En cada apartado nos indican las url donde podemos consultar en que consisten estas vulnerabilidades, como solucionarlas y como explotarlas.
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXXXX.com
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://XXXXXXX/
[+] Started: Fri Jan 15 16:00:47 2016

[!] The WordPress 'http://XXXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXXXX/xmlrpc.php

[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number

[!] Title:  WordPress 3.9 & 3.9.1 Unlikely Code Execution
    Reference: https://wpvulndb.com/vulnerabilities/7527
    Reference: https://core.trac.wordpress.org/changeset/29389
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2

[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
    Reference: https://wpvulndb.com/vulnerabilities/7528
    Reference: https://core.trac.wordpress.org/changeset/29384
    Reference: https://core.trac.wordpress.org/changeset/29408
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
    Reference: https://wpvulndb.com/vulnerabilities/7529
    Reference: https://core.trac.wordpress.org/changeset/29398
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
    Reference: https://wpvulndb.com/vulnerabilities/7530
    Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
    Reference: http://getid3.sourceforge.net/
    Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
    Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
    Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
    Reference: https://wpvulndb.com/vulnerabilities/7531
    Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
    Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7680
    Reference: http://klikki.fi/adv/wordpress.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://klikki.fi/adv/wordpress_update.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
    Reference: http://osvdb.org/show/osvdb/114857
    Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: https://www.exploit-db.com/exploits/35413/
    Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7696
    Reference: http://www.securityfocus.com/bid/71234/
    Reference: https://core.trac.wordpress.org/changeset/30444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1

[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
    Reference: https://wpvulndb.com/vulnerabilities/7697
    Reference: https://core.trac.wordpress.org/changeset/30422
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7929
    Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
    Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10

[+] WordPress theme in use: XXXXX - v1.2.0

[+] Name: XXXXXX - v1.2.0
 |  Location: http://XXXXXXXXX/wp-content/themes/XXXXX/
 |  Readme: http://XXXXXXX/wp-content/themes/XXXX/readme.txt
 |  Style URL: http://XXXXXXXX/wp-content/themes/XXXXX/style.css
 |  Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXX/style.css
 |  Theme Name: XXXXXX
 |  Theme URI: http://XXXXXXXXXXX
 |  Description: XXXXX Clean, Responsive and Modern Theme for Personal Blogging
 |  Author: XXXXXX
 |  Author URI: http://XXXXXX.com

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Fri Jan 15 16:00:48 2016
[+] Requests Done: 36
[+] Memory used: 3.219 MB
[+] Elapsed time: 00:00:01




Escaneo en profundidad de vulnerabilidades

Con la opción --enumerate WPScan realizará un escaneo profundo de las vulnerabilidades de WordPress donde entre otros datos podremos obtener los usuarios dados de alta en él. El obtener estos usuarios nos permitirá por ejemplo realizar una auditoría de las contraseñas mediante un ataque por diccionario por esto con la información obtenida con --enumerate podremos tener información adicional para completar una auditoría de seguridad exhaustiva de WordPress.

root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXX --enumerate
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://XXXXXXXX/
[+] Started: Fri Jan 15 16:01:34 2016

[!] The WordPress 'http://XXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXX/xmlrpc.php

[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number

[!] Title:  WordPress 3.9 & 3.9.1 Unlikely Code Execution
    Reference: https://wpvulndb.com/vulnerabilities/7527
    Reference: https://core.trac.wordpress.org/changeset/29389
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2

[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
    Reference: https://wpvulndb.com/vulnerabilities/7528
    Reference: https://core.trac.wordpress.org/changeset/29384
    Reference: https://core.trac.wordpress.org/changeset/29408
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
    Reference: https://wpvulndb.com/vulnerabilities/7529
    Reference: https://core.trac.wordpress.org/changeset/29398
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
    Reference: https://wpvulndb.com/vulnerabilities/7530
    Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
    Reference: http://getid3.sourceforge.net/
    Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
    Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
    Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
    Reference: https://wpvulndb.com/vulnerabilities/7531
    Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
    Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7680
    Reference: http://klikki.fi/adv/wordpress.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://klikki.fi/adv/wordpress_update.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
    Reference: http://osvdb.org/show/osvdb/114857
    Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: https://www.exploit-db.com/exploits/35413/
    Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7696
    Reference: http://www.securityfocus.com/bid/71234/
    Reference: https://core.trac.wordpress.org/changeset/30444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1

[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
    Reference: https://wpvulndb.com/vulnerabilities/7697
    Reference: https://core.trac.wordpress.org/changeset/30422
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7929
    Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
    Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10

[+] WordPress theme in use: XXXX - v1.2.0

[+] Name: XXXXX - v1.2.0
 |  Location: http://XXXXXX/wp-content/themes/XXXXXX/
 |  Readme: http://XXXXXX/wp-content/themes/XXXXXX/readme.txt
 |  Style URL: http://XXXXXX/wp-content/themes/XXXXXX/style.css
 |  Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXXX/style.css
 |  Theme Name: XXXXXX
 |  Theme URI: http://XXXXXX
 |  Description: XXXXXX Clean, Responsive and Modern Theme for Personal Blogging
 |  Author: XXXXXX
 |  Author URI: http://XXXXXX.com

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:00:02 <========================================================================================================================================================================> (1258 / 1258) 100.00% Time: 00:00:02

[+] We found 1 plugins:

[+] Name: akismet - v3.0.0
 |  Location: http://XXXXXX/wp-content/plugins/akismet/
 |  Readme: http://XXXXXX/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 3.1.7

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Enumerating installed themes (only ones with known vulnerabilities) ...

   Time: 00:00:00 <==========================================================================================================================================================================> (368 / 368) 100.00% Time: 00:00:00

[+] No themes found

[+] Enumerating timthumb files ...

   Time: 00:00:04 <========================================================================================================================================================================> (2539 / 2539) 100.00% Time: 00:00:04

[+] No timthumb files found

[+] Enumerating usernames ...
[+] Identified the following 3 user/s:
    +----+----------+----------+
    | Id | Login    | Name     |
    +----+----------+----------+
    | 1  | caXXX    | caXX    |
    | 2  | caXXXa | caXXXa |
    | 3  | admin    | admin    |
    +----+----------+----------+

[+] Finished: Fri Jan 15 16:01:49 2016
[+] Requests Done: 4218
[+] Memory used: 38.895 MB
[+] Elapsed time: 00:00:14 




Ataque de login por fuerza bruta en WordPress

Como hemos podido comprobar en los pasos anteriores nos enfrentamos a un WordPress sin ninguna restricción adicional de acceso en la parte de administración tales como chaptra o bloqueo con .htpasswd. Esto nos permite sin ninguna complicación ni paso adicional realizar una auditoría de usuario/password para ver su fortaleza pero ademas tenemos a nuestro favor que ya conocemos usuarios dados de alta en él gracias a la información desprendida por el comando anterior. Asumiendo que he generado un diccionario con Crunch tal y como explico en este post y que está en /home/rencinar/pass.txt para auditar la fortaleza del usuario admin el comando sería:
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXX --wordlist /home/rencinar/pass.txt --username admin

No hay comentarios:

Publicar un comentario