search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.48k stars 1.25k forks source link

wpstools does nothing? #793

Closed phryneas closed 9 years ago

phryneas commented 9 years ago

Hi, either I'm reading the documentation wrong or wpstools currently does nothing?

I'm running it like this:

# ruby wpstools.rb --clvf /var/www/vhosts/known-vulnerable.site/httpdocs/
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] Generating local hashes ... done.
[+] Checking for vulnerable files ...
done.

Running wpscan on the same site from outside works fine:

 ruby wpscan.rb --url www.known-vulnerable.site
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://www.known-vulnerable.site/
[+] Started: Thu Apr  2 11:56:54 2015

[+] robots.txt available under: 'http://www.known-vulnerable.site/robots.txt'
[!] The WordPress 'http://www.known-vulnerable.site/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-POWERED-BY: PleskLin
[+] XML-RPC Interface available under: http://www.known-vulnerable.site/xmlrpc.php
[i] This may allow the GHOST vulnerability to be exploited, please see: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

[+] WordPress version 3.9.2 identified from advanced fingerprinting
[!] 6 vulnerabilities identified from the version number

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
    Reference: https://wpvulndb.com/vulnerabilities/7531
    Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
    Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5868
[i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7680
    Reference: http://klikki.fi/adv/wordpress.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://klikki.fi/adv/wordpress_update.html
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9031
[i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034
    Reference: http://osvdb.org/114857
    Reference: http://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: http://www.exploit-db.com/exploits/35413/
    Reference: http://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1

[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
    Reference: https://wpvulndb.com/vulnerabilities/7697
    Reference: https://core.trac.wordpress.org/changeset/30422
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9032
[i] Fixed in: 4.0.1

[+] Enumerating plugins from passive detection ...
 | 4 plugins found:

[+] Name: contact-form-7 - v3.9.1
 |  Location: http://www.known-vulnerable.site/wp-content/plugins/contact-form-7/
 |  Readme: http://www.known-vulnerable.site/wp-content/plugins/contact-form-7/readme.txt

[+] Name: wp-slimbox2 - v1.1.3.1
 |  Location: http://www.known-vulnerable.site/wp-content/plugins/wp-slimbox2/
 |  Readme: http://www.known-vulnerable.site/wp-content/plugins/wp-slimbox2/readme.txt

[+] Name: w3-total-cache - v0.9.4
 |  Location: http://www.known-vulnerable.site/wp-content/plugins/w3-total-cache/
 |  Readme: http://www.known-vulnerable.site/wp-content/plugins/w3-total-cache/readme.txt
 |  Changelog: http://www.known-vulnerable.site/wp-content/plugins/w3-total-cache/changelog.txt

[!] Title: W3 Total Cache 0.9.4 - Edge Mode Enabling CSRF
    Reference: https://wpvulndb.com/vulnerabilities/7621
    Reference: http://seclists.org/fulldisclosure/2014/Sep/29
    Reference: http://osvdb.org/111231
[i] Fixed in: 0.9.4.1

[!] Title: W3 Total Cache <= 0.9.4 - Cross-Site Request Forgery (CSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7717
    Reference: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html
[i] Fixed in: 0.9.4.1

[!] Title: W3 Total Cache <= 0.9.4 - Debug Mode XSS
    Reference: https://wpvulndb.com/vulnerabilities/7718
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8724
[i] Fixed in: 0.9.4.1

[+] Name: wordpress-seo - v1.7.4
 |  Location: http://www.known-vulnerable.site/wp-content/plugins/wordpress-seo/
 |  Readme: http://www.known-vulnerable.site/wp-content/plugins/wordpress-seo/readme.txt
 |  Changelog: http://www.known-vulnerable.site/wp-content/plugins/wordpress-seo/changelog.txt

[+] Finished: Thu Apr  2 11:57:12 2015
[+] Requests Done: 113
[+] Memory used: 8.156 MB
[+] Elapsed time: 00:00:17

Is there any undocumented step I'm missing? (and yes, I did the wpscan --update before running wpstool - maybe add that step to the readme?)

I tried running ruby wpstools.rb --cvru in case that does some internal database update, but that seems to fail half way through with a load of 404's.

 ruby wpstools.rb --cvru                                                                     
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] Checking vulnerabilities reference urls
  [+] Checking ~/scripts/vulnerability-scanner/wpscan/data/plugin_vulns.json 1096 total ... 100% complete.
    Not Found http://codevigilant.com/disclosure/wp-plugin-all-video-gallery-a1-injection
    Not Found https://vexatioustendencies.com/wordfence-v5-2-3-2-stored-xss-insufficient-logging-throttle-bypass-exploit-detection-bypass/
    Not Found https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/
    Not Found http://codevigilant.com/disclosure/wp-plugin-videowhisper-live-streaming-integration-a3-cross-site-scripting-xss/
    Not Found http://www.securityfocus.com/bid/53893
    Not Found http://www.securityfocus.com/bid/56691
    Not Found http://www.securityfocus.com/bid/53551
    Not Found http://www.securityfocus.com/bid/53525
    Not Found https://vexatioustendencies.com/csrf-in-disqus-wordpress-plugin-v2-77/
    Not Found http://www.securityfocus.com/bid/60433
    Not Found http://codevigilant.com/disclosure/wp-plugin-videowhisper-video-presentation-a3-cross-site-scripting-xss/
    Not Found https://vexatioustendencies.com/stored-xss-in-wp-photo-album-plus-5-4-5/
    Not Found https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-1/
    Not Found http://www.securityfocus.com/bid/62784
    Not Found http://www.securityfocus.com/bid/68512
    Not Found http://www.securityfocus.com/bid/66529
    Not Found http://www.securityfocus.com/bid/64680
    Not Found http://www.securityfocus.com/bid/64713
    Not Found http://www.securityfocus.com/bid/68312
    Not Found http://www.securityfocus.com/bid/66306
    Not Found http://www.securityfocus.com/bid/66999
    Not Found http://www.securityfocus.com/bid/67083
    Not Found http://codevigilant.com/disclosure/wp-plugin-wp-football-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-verification-code-for-comments-a3-cross-site-scripting-xss
    Not Found http://codevigilant.com/disclosure/wp-plugin-yahoo-updates-for-wordpress-a3-cross-site-scripting-xss/
    Not Found http://www.securityfocus.com/bid/67628
    Not Found http://codevigilant.com/disclosure/wp-plugin-toolpage-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-validated-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-url-cloak-encrypt-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-your-text-manager-a3-cross-site-scripting-xss/
    Not Found http://www.securityfocus.com/bid/68320
    Not Found http://codevigilant.com/disclosure/wp-plugin-verweise-wordpress-twitter-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-wp-rss-poster-a1-injection/
    Not Found http://codevigilant.com/disclosure/wp-plugin-enl-newsletter-a1-injection/
    Not Found http://codevigilant.com/disclosure/wp-plugin-tera-chart-local-file-inclusion/
    Not Found http://codevigilant.com/disclosure/wp-plugin-bookx-local-file-inclusion/
    Not Found http://codevigilant.com/disclosure/wp-plugin-hdw-player-video-player-video-gallery-a1-injection/
    Not Found http://codevigilant.com/disclosure/wp-plugin-yawpp-a1-injection/
    Not Found http://codevigilant.com/disclosure/wp-plugin-wu-rating-a3-cross-site-scripting-xss
    Not Found http://codevigilant.com/disclosure/wp-plugin-quartz-a1-injection/
    Not Found http://codevigilant.com/disclosure/wp-plugin-tom-m8te-local-file-inclusion/
    Not Found http://codevigilant.com/disclosure/wp-plugin-alipay-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-cbi-referral-manager-a3-cross-site-scripting-xss/
    Not Found http://codevigilant.com/disclosure/wp-plugin-vn-calendar-a3-cross-site-scripting-xss/
    Not Found http://wpdatatables.com/wpdatatables-1-5-4/
  [+] Checking ~/scripts/vulnerability-scanner/wpscan/data/theme_vulns.json 170 total ... 100% complete.
    Not Found http://www.securityfocus.com/bid/56745
    Not Found http://www.compuhowto.com/security/lfi-in-wordpress-theme-churchope/
  [+] Checking ~/scripts/vulnerability-scanner/wpscan/data/wp_vulns.json 71 total ... 100% complete.
    Not Found http://www.securityfocus.com/bid/22797
ethicalhack3r commented 9 years ago

Are you running

ruby wpstools.rb --clvf /var/www/vhosts/known-vulnerable.site/httpdocs/

on the server the wordpress is installed on? i.e. you've installed wpscan on that server and are running it on it, not running it over the Internet.

ruby wpstools.rb --cvru Check all the vulnerabilities reference urls for 404

^ this is to check our vulnerability database reference URLs for 404's. This should only really be needed by devs.

There is documentation available on wpscan.org and in the README.md file:

-v, --verbose                                                Verbose output
    --check-vuln-ref-urls, --cvru                            Check all the vulnerabilities reference urls for 404
    --check-local-vulnerable-files, --clvf LOCAL_DIRECTORY   Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells
-s, --stats                                                  Show WpScan Database statistics.
    --spellcheck, --sc                                       Check all files for common spelling mistakes.

Also see wpstools.rb CLI output when run with no arguments.

$ ./wpstools.rb 
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.7
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[ERROR] No option supplied

Usage: ./wpstools.rb [options]

    -v, --verbose                                                Verbose output
        --check-vuln-ref-urls, --cvru                            Check all the vulnerabilities reference urls for 404
        --check-local-vulnerable-files, --clvf LOCAL_DIRECTORY   Perform a recursive scan in the LOCAL_DIRECTORY to find vulnerable files or shells
    -s, --stats                                                  Show WpScan Database statistics.
        --spellcheck, --sc                                       Check all files for common spelling mistakes.
erwanlr commented 9 years ago

The files checked can be found here: https://wpvulndb.com/data/local_vulnerable_files.xml

Don't expect this scan (./wpstools --clvf) to find what is found with the usual scan given that the local vulnerable db is no longer maintained

phryneas commented 9 years ago

@ethicalhack3r yup, running it from the server

@erwanlr Oh, so it is only scanning for a small subset?

Well, definitely wasn't expecting that - I would have expected a more thorough test, running it non-blackbox. Could this be added to the documentation? It seems quite counter-intuitive.

Seems I'm back to pyfiscan & freewvs for automated reports from server-side. But nonetheless, this is a great tool for a blackbox check, thank you for your work!

ethicalhack3r commented 9 years ago

We could probably move --check-vuln-ref-urls to wpvulndb.

Deprecate --check-local-vulnerable-files.

Remove --spellcheck as it isn't greatly useful.

--stats are already on wpvulndb - https://wpvulndb.com/statistics

Then get rid of wpstools?

firefart commented 9 years ago

:+1: @ethicalhack3r

ethicalhack3r commented 9 years ago

@erwanlr what you reckon? Remove wpstools?

erwanlr commented 9 years ago

Yea, remove it :)

firefart commented 9 years ago

just for the record: I wrote a task on wpvulndb.com to daily check all references. Current problem: Packetstorm links are timing out :( rest works as intended