Actualización de las bases de datos
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --update_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
Escaneo genérico de vulnerabilidades
Con el siguiente comando podemos sacar un listado genérico de las vulnerabilidades que tiene el WordPress que estamos auditando. En cada apartado nos indican las url donde podemos consultar en que consisten estas vulnerabilidades, como solucionarlas y como explotarlas.root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXXXX.com
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://XXXXXXX/
[+] Started: Fri Jan 15 16:00:47 2016
[!] The WordPress 'http://XXXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXXXX/xmlrpc.php
[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number
[!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
Reference: https://wpvulndb.com/vulnerabilities/7527
Reference: https://core.trac.wordpress.org/changeset/29389
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
Reference: https://wpvulndb.com/vulnerabilities/7528
Reference: https://core.trac.wordpress.org/changeset/29384
Reference: https://core.trac.wordpress.org/changeset/29408
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
Reference: https://wpvulndb.com/vulnerabilities/7529
Reference: https://core.trac.wordpress.org/changeset/29398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
Reference: https://wpvulndb.com/vulnerabilities/7530
Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
Reference: http://getid3.sourceforge.net/
Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
Reference: https://wpvulndb.com/vulnerabilities/7531
Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7680
Reference: http://klikki.fi/adv/wordpress.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: http://klikki.fi/adv/wordpress_update.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
Reference: https://wpvulndb.com/vulnerabilities/7681
Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
Reference: http://osvdb.org/show/osvdb/114857
Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
Reference: https://www.exploit-db.com/exploits/35413/
Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/7696
Reference: http://www.securityfocus.com/bid/71234/
Reference: https://core.trac.wordpress.org/changeset/30444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1
[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
Reference: https://wpvulndb.com/vulnerabilities/7697
Reference: https://core.trac.wordpress.org/changeset/30422
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7929
Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10
[+] WordPress theme in use: XXXXX - v1.2.0
[+] Name: XXXXXX - v1.2.0
| Location: http://XXXXXXXXX/wp-content/themes/XXXXX/
| Readme: http://XXXXXXX/wp-content/themes/XXXX/readme.txt
| Style URL: http://XXXXXXXX/wp-content/themes/XXXXX/style.css
| Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXX/style.css
| Theme Name: XXXXXX
| Theme URI: http://XXXXXXXXXXX
| Description: XXXXX Clean, Responsive and Modern Theme for Personal Blogging
| Author: XXXXXX
| Author URI: http://XXXXXX.com
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Finished: Fri Jan 15 16:00:48 2016
[+] Requests Done: 36
[+] Memory used: 3.219 MB
[+] Elapsed time: 00:00:01
Escaneo en profundidad de vulnerabilidades
Con la opción --enumerate WPScan realizará un escaneo profundo de las vulnerabilidades de WordPress donde entre otros datos podremos obtener los usuarios dados de alta en él. El obtener estos usuarios nos permitirá por ejemplo realizar una auditoría de las contraseñas mediante un ataque por diccionario por esto con la información obtenida con --enumerate podremos tener información adicional para completar una auditoría de seguridad exhaustiva de WordPress.root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXX --enumerate
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://XXXXXXXX/
[+] Started: Fri Jan 15 16:01:34 2016
[!] The WordPress 'http://XXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXX/xmlrpc.php
[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number
[!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
Reference: https://wpvulndb.com/vulnerabilities/7527
Reference: https://core.trac.wordpress.org/changeset/29389
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
Reference: https://wpvulndb.com/vulnerabilities/7528
Reference: https://core.trac.wordpress.org/changeset/29384
Reference: https://core.trac.wordpress.org/changeset/29408
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
Reference: https://wpvulndb.com/vulnerabilities/7529
Reference: https://core.trac.wordpress.org/changeset/29398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
Reference: https://wpvulndb.com/vulnerabilities/7530
Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
Reference: http://getid3.sourceforge.net/
Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
Reference: https://wpvulndb.com/vulnerabilities/7531
Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7680
Reference: http://klikki.fi/adv/wordpress.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: http://klikki.fi/adv/wordpress_update.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
Reference: https://wpvulndb.com/vulnerabilities/7681
Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
Reference: http://osvdb.org/show/osvdb/114857
Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
Reference: https://www.exploit-db.com/exploits/35413/
Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/7696
Reference: http://www.securityfocus.com/bid/71234/
Reference: https://core.trac.wordpress.org/changeset/30444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1
[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
Reference: https://wpvulndb.com/vulnerabilities/7697
Reference: https://core.trac.wordpress.org/changeset/30422
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7929
Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10
[+] WordPress theme in use: XXXX - v1.2.0
[+] Name: XXXXX - v1.2.0
| Location: http://XXXXXX/wp-content/themes/XXXXXX/
| Readme: http://XXXXXX/wp-content/themes/XXXXXX/readme.txt
| Style URL: http://XXXXXX/wp-content/themes/XXXXXX/style.css
| Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXXX/style.css
| Theme Name: XXXXXX
| Theme URI: http://XXXXXX
| Description: XXXXXX Clean, Responsive and Modern Theme for Personal Blogging
| Author: XXXXXX
| Author URI: http://XXXXXX.com
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:00:02 <========================================================================================================================================================================> (1258 / 1258) 100.00% Time: 00:00:02
[+] We found 1 plugins:
[+] Name: akismet - v3.0.0
| Location: http://XXXXXX/wp-content/plugins/akismet/
| Readme: http://XXXXXX/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 3.1.7
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
[+] Enumerating installed themes (only ones with known vulnerabilities) ...
Time: 00:00:00 <==========================================================================================================================================================================> (368 / 368) 100.00% Time: 00:00:00
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:00:04 <========================================================================================================================================================================> (2539 / 2539) 100.00% Time: 00:00:04
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 3 user/s:
+----+----------+----------+
| Id | Login | Name |
+----+----------+----------+
| 1 | caXXX | caXX |
| 2 | caXXXa | caXXXa |
| 3 | admin | admin |
+----+----------+----------+
[+] Finished: Fri Jan 15 16:01:49 2016
[+] Requests Done: 4218
[+] Memory used: 38.895 MB
[+] Elapsed time: 00:00:14
Ataque de login por fuerza bruta en WordPress
Como hemos podido comprobar en los pasos anteriores nos enfrentamos a un WordPress sin ninguna restricción adicional de acceso en la parte de administración tales como chaptra o bloqueo con .htpasswd. Esto nos permite sin ninguna complicación ni paso adicional realizar una auditoría de usuario/password para ver su fortaleza pero ademas tenemos a nuestro favor que ya conocemos usuarios dados de alta en él gracias a la información desprendida por el comando anterior. Asumiendo que he generado un diccionario con Crunch tal y como explico en este post y que está en /home/rencinar/pass.txt para auditar la fortaleza del usuario admin el comando sería:root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXX --wordlist /home/rencinar/pass.txt --username admin
No hay comentarios:
Publicar un comentario