search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.63k stars 1.27k forks source link

405 not allowed #1376

Closed phpner closed 5 years ago

phpner commented 5 years ago

Hello! I test the app on my website I put in password file the correct password but it can't be found! I've tried on wordpress 4.2 and wordpress 5.1

The error is 

Error: Unknown response received Code: 405                                                                           
Body: <html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx-reuseport/1.13.4</center>
</body>
</html>

GitHub Logo

erwanlr commented 5 years ago

What's the first line of the password attack ?, e.g: [+] Performing password attack on Xmlrpc against 2 user/s I am interested in the word/s between 'on' and 'against' to check which attacker class was used

phpner commented 5 years ago 
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
more ```php [+] URL: http://sitename.ru/ [+] Started: Tue Jul 30 20:05:37 2019 Interesting Finding(s): [+] http://sitename.ru/ | Interesting Entries: | - Server: nginx-reuseport/1.13.4 | - X-Powered-By: PHP/5.6.38 | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://sitename.ru/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] http://sitename.ru/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 60% | Confirmed By: Link Tag (Passive Detection), 30% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://sitename.ru/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] WordPress version 4.2.23 identified (Latest, released on 2019-03-13). | Detected By: Rss Generator (Passive Detection) | - http://sitename.ru/feed/, https://wordpress.org/?v=4.2.23 | - http://sitename.ru/comments/feed/, https://wordpress.org/?v=4.2.23 [+] WordPress theme in use: twentyfifteen | Location: http://sitename.ru/wp-content/themes/twentyfifteen/ | Last Updated: 2019-05-07T00:00:00.000Z | Readme: http://sitename.ru/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 2.5 | Style URL: http://sitename.ru/wp-content/themes/twentyfifteen/style.css?ver=4.2.23 | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Detected By: Css Style (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS) | Fixed in: 1.2 | References: | - https://wpvulndb.com/vulnerabilities/7965 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429 | - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html | - http://packetstormsecurity.com/files/131802/ | - http://seclists.org/fulldisclosure/2015/May/41 | | Version: 1.1 (80% confidence) | Detected By: Style (Passive Detection) | - http://sitename.ru/wp-content/themes/twentyfifteen/style.css?ver=4.2.23, Match: 'Version: 1.1' [+] Enumerating All Plugins [i] No plugins Found. [+] Enumerating Config Backups Checking Config Backups - Time: 00:00:00 <========================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Wp Login against 1 user/s Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Trying admin / Time: 00:00:00 <===================================================> (13 / 13) 100.00% Time: 00:00:00 Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
[i] No Valid Passwords Found. [+] Finished: Tue Jul 30 20:05:41 2019 [+] Requests Done: 35 [+] Cached Requests: 35 [+] Data Sent: 6.313 KB [+] Data Received: 134.853 KB [+] Memory used: 88.031 MB [+] Elapsed time: 00:00:03 ```
erwanlr commented 5 years ago

Humm.

First I would suggest you to update WPScan (you are using v3.4.3, the latest being 3.6.1) and try again.

However it seems that your blog does not support POST requests, which is weird

phpner commented 5 years ago

I've changed kali linux from 2019.1 to 2019.2 I've updated wpscan from v3.4.3 to 3.6.1 I tried differents site to brute, but alway I got errors 405 I use command - wpscan --url siteXample.ru -P test.txt -U userName

Maybe i do something wrong ?

My wordlist is

GitHub Logo

    __          _______   _____
    \ \        / /  __ \ / ____|
     \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team
                   Version 3.6.1
      Sponsored by Sucuri - https://sucuri.net
  @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
more ```php [+] URL: http://website.ru/ [+] Effective URL: https://website.ru/ [+] Started: Wed Jul 31 14:07:52 2019 Interesting Finding(s): [+] https://website.ru/ | Interesting Entries: | - server: nginx-reuseport/1.13.4 | - x-powered-by: PHP/5.3.29 | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://website.ru/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] https://website.ru/xmlrpc.php | Found By: Link Tag (Passive Detection) | Confidence: 30% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] This site has 'Must Use Plugins': http://website.ru/wp-content/mu-plugins/ | Found By: Direct Access (Aggressive Detection) | Confidence: 80% | Reference: http://codex.wordpress.org/Must_Use_Plugins [+] WordPress version 4.9.10 identified (Latest, released on 2019-03-13). | Detected By: Emoji Settings (Passive Detection) | - https://website.ru/, Match: '-release.min.js?ver=4.9.10' | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection) | - https://website.ru/wp-includes/js/wp-embed.min.js?ver=4.9.10 [+] WordPress theme in use: pro-wordpress | Location: http://website.ru/wp-content/themes/pro-wordpress/ | Readme: http://website.ru/wp-content/themes/pro-wordpress/readme.txt | Style URL: https://website.ru/wp-content/themes/pro-wordpress/style.css?v4 | | Detected By: Css Style (Passive Detection) | | The version could not be determined. [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] all-in-one-seo-pack | Location: http://website.ru/wp-content/plugins/all-in-one-seo-pack/ | Last Updated: 2019-06-15T15:57:00.000Z | [!] The version is out of date, the latest version is 3.1.1 | | Detected By: Comment (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS) | Fixed in: 2.10 | References: | - https://wpvulndb.com/vulnerabilities/9159 | - https://www.ripstech.com/php-security-calendar-2018/#day-4 | - https://wordpress.org/support/topic/a-critical-vulnerability-has-been-detected-in-this-plugin/ | - https://semperfiwebdesign.com/all-in-one-seo-pack-release-history/ | | Version: 2.7.3 (100% confidence) | Detected By: Comment (Passive Detection) | - https://website.ru/, Match: 'All in One SEO Pack 2.7.3 by' | Confirmed By: Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/all-in-one-seo-pack/readme.txt [+] contact-form-7 | Location: http://website.ru/wp-content/plugins/contact-form-7/ | Last Updated: 2019-05-19T16:15:00.000Z | [!] The version is out of date, the latest version is 5.1.3 | | Detected By: Urls In Homepage (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation | Fixed in: 5.0.4 | References: | - https://wpvulndb.com/vulnerabilities/9127 | - https://contactform7.com/2018/09/04/contact-form-7-504/ | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7 | - https://www.ripstech.com/php-security-calendar-2018/#day-18 | | Version: 4.7 (100% confidence) | Detected By: Query Parameter (Passive Detection) | - https://website.ru/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.7 | - https://website.ru/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=4.7 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/contact-form-7/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://website.ru/wp-content/plugins/contact-form-7/readme.txt [+] easy-fancybox | Location: http://website.ru/wp-content/plugins/easy-fancybox/ | Last Updated: 2019-06-20T08:46:00.000Z | [!] The version is out of date, the latest version is 1.8.17 | | Detected By: Urls In Homepage (Passive Detection) | | Version: 1.8.6 (100% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/easy-fancybox/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://website.ru/wp-content/plugins/easy-fancybox/readme.txt [+] wp-postratings | Location: http://website.ru/wp-content/plugins/wp-postratings/ | Last Updated: 2018-12-26T10:15:00.000Z | [!] The version is out of date, the latest version is 1.86.2 | | Detected By: Urls In Homepage (Passive Detection) | | Version: 1.85 (100% confidence) | Detected By: Query Parameter (Passive Detection) | - https://website.ru/wp-content/plugins/wp-postratings/css/postratings-css.css?ver=1.85 | - https://website.ru/wp-content/plugins/wp-postratings/js/postratings-js.js?ver=1.85 | Confirmed By: Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/wp-postratings/readme.txt [+] wp-super-cache | Location: http://website.ru/wp-content/plugins/wp-super-cache/ | Last Updated: 2019-07-25T12:32:00.000Z | [!] The version is out of date, the latest version is 1.6.9 | | Detected By: Comment (Passive Detection) | | Version: 1.6.4 (80% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/wp-super-cache/readme.txt [+] wp-syntax | Location: http://website.ru/wp-content/plugins/wp-syntax/ | Latest Version: 1.1 (up to date) | Last Updated: 2016-12-14T19:07:00.000Z | | Detected By: Urls In Homepage (Passive Detection) | | Version: 1.1 (100% confidence) | Detected By: Query Parameter (Passive Detection) | - https://website.ru/wp-content/plugins/wp-syntax/css/wp-syntax.css?ver=1.1 | - https://website.ru/wp-content/plugins/wp-syntax/js/wp-syntax.js?ver=1.1 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://website.ru/wp-content/plugins/wp-syntax/README.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://website.ru/wp-content/plugins/wp-syntax/README.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:03 <==============================================================> (21 / 21) 100.00% Time: 00:00:03 [i] No Config Backups Found. [+] Performing password attack on Wp Login against 1 user/s Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
Trying konstantin / Time: 00:00:00 <======================================================================> (4 / 4) 100.00% Time: 00:00:00 Error: Unknown response received Code: 405 Body: 405 Not Allowed

405 Not Allowed

nginx-reuseport/1.13.4
[i] No Valid Passwords Found. [+] Finished: Wed Jul 31 14:08:06 2019 [+] Requests Done: 25 [+] Cached Requests: 54 [+] Data Sent: 4.154 KB [+] Data Received: 47.758 KB [+] Memory used: 205.176 MB [+] Elapsed time: 00:00:14 ```
erwanlr commented 5 years ago

Would you be able to share your blog url for investigation (team at wpscan dot org) ? It seems like the wp-login.php is considered as a static file by the remote server, hence the response 405. Or if you are using a proxy, it may be interfering in the process somehow.

phpner commented 5 years ago

REDACTED -u login -P password

I trired onather website where is insstalled WordPress 4.9.10 (I have access there) password was be found

I just gonna test the brure a website whith 10 milleions password and it would be great to know it works good on WordPress 4.2

erwanlr commented 5 years ago

Thx, found the issue: The Referer header is needed in the POST requests. I will issue a fix later today.

In the meantime, use the --headers option and set it to the blog you are testing. For example: 

wpscan --url http://REDACTED -U admin-2 -P pwds.txt --headers 'Referer: http://REDACTED/'
phpner commented 5 years ago

WOW! It's works! Thx a lot!

erwanlr commented 5 years ago

v3.6.2 has just been released to fix this issue