search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.49k stars 1.25k forks source link

Not recognizing WP websites #1351

Closed Sicks3c closed 5 years ago

Sicks3c commented 5 years ago

Hello

After the last update, wpscan cannot identify any Wordpress blog I tried a lot of WordPress websites that are using Wordpress confirmed by Wappalyzer pluging in Firefox

output error : Scan Aborted: Unable to identify the wp-content dir, please supply it with --wp-content-dirTrace: /usr/share/rubygems-integration/all/gems/wpscan-3.4.1/app/controllers/custom_directories.rb:19:in before_scan'/usr/share/rubygems-integration/all/gems/cms_scanner-0.0.41.0/lib/cms_scanner/controllers.rb:42:ineach'/usr/share/rubygems-integration/all/gems/cms_scanner-0.0.41.0/lib/cms_scanner/controllers.rb:42:in run'/usr/share/rubygems-integration/all/gems/cms_scanner-0.0.41.0/lib/cms_scanner.rb:137:inrun'/usr/share/rubygems-integration/all/gems/wpscan-3.4.1/bin/wpscan:15:in block in <top (required)>'/usr/share/rubygems-integration/all/gems/cms_scanner-0.0.41.0/lib/cms_scanner.rb:128:ininitialize'/usr/share/rubygems-integration/all/gems/wpscan-3.4.1/bin/wpscan:5:in new'/usr/share/rubygems-integration/all/gems/wpscan-3.4.1/bin/wpscan:5:in<top (required)>'/usr/bin/wpscan:23:in load'/usr/bin/wpscan:23:in

'

erwanlr commented 5 years ago

You are using an outdated version, v3.5.3 is currently the latest and received a lot of improvements, especially in wp-content directory detection .

So please update wpscan and try again

Sicks3c commented 5 years ago

I have update to the latest version with : gem install wpscan

WordPress Security Scanner by the WPScan TeamVersion 3.5.3Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart________________________________________________________________Scan Aborted: The remote website is up, but does not seem to be running WordPress.

Im getting this error now .. even though the website is running wordpress

erwanlr commented 5 years ago

Have you tried with the --random-user-agent option ?

Providing the full command (including the url if possible) you are trying to scan would help investigate if the above doesn't work. Our email is team at wpscan dot org.

Sicks3c commented 5 years ago

Here the command wpscan --url sieuthibongban.vn --random-user-agent Same Error Scan Aborted: The remote website is up, but does not seem to be running WordPress.

erwanlr commented 5 years ago

It appears that there is some kind of WAF/protection plugin in place banning the scanning IP when suspicious activity is detected, nothing we can do about it unfortunately.

If the ban is temporary, using wpscan --url <the-url> --stealthy will give you some results, but a normal scan (in order to get more and accurate results) will raise a ban again.

Sicks3c commented 5 years ago

Unfortunately for me it's not the case I tried some Machine labs with wordpress same issue ... and wordpress on my local machine cant detect wordpress instalation :(

erwanlr commented 5 years ago

Again, you will have to give more details, such as the command used, output of wpscan and the target (ideally something I can test on to try to reproduce the issue).

Running $ wpscan --url http://localhost:8000/ against a vanilla WP installed and running via docker-compose (instructions from https://docs.docker.com/compose/wordpress/) gives the below results:

$ wpscan --url http://localhost:8000/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://localhost:8000/
[+] Started: Mon May 27 09:05:52 2019

Interesting Finding(s):

[+] http://localhost:8000/
 | Interesting Entries:
 |  - Server: Apache/2.4.25 (Debian)
 |  - X-Powered-By: PHP/7.2.18
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://localhost:8000/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://localhost:8000/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://localhost:8000/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2 identified (Outdated, released on 2019-05-07).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://localhost:8000/?feed=rss2, <generator>https://wordpress.org/?v=5.2</generator>
 |  - http://localhost:8000/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://localhost:8000/wp-content/themes/twentynineteen/
 | Latest Version: 1.4 (up to date)
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://localhost:8000/wp-content/themes/twentynineteen/readme.txt
 | Style URL: http://localhost:8000/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://localhost:8000/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <========================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Finished: Mon May 27 09:05:56 2019
[+] Requests Done: 52
[+] Cached Requests: 5
[+] Data Sent: 10.714 KB
[+] Data Received: 518.284 KB
[+] Memory used: 198.824 MB
[+] Elapsed time: 00:00:03

Edit: You could use a proxy such as Burp suite to see what the blog is returning to wpscan, via the --proxy option (might want to also use --disable-tls-checks if the blog is running over https)