1. Introduction

There are numerous tools available when checking the security of the WordPress Content Management System (CMS). In the rest of the article we’ll mention the WPScan tool, which does a great job of scanning the WordPress installation and its plugins for security vulnerabilities.

2. WPScan

WPScan is a WordPress security scanner which can identify known security weaknesses in WordPress CMS systems. WPScan is written in Ruby and requires some dependencies, namely typhoeus, xml-simple, mime-types, nokogiri and json. To install dependencies we need to type in the following:

# gem install –user-install typhoeus

# gem install –user-install xml-simple

# gem install –user-install mime-types

# gem install –user-install nokogiri

# gem install –user-install json

The dependencies provide the functionality described next:

  • typhoeus: allows running HTTP requests in parallel while cleanly encapsulating handling logic.
  • xml-simple: simple API for XML processing.
  • mime-types: allows identification of a file’s likely MIME content type based on file’s extensions.
  • nokogiri: a HTML, XML, SAX and Reader parser. It also provides a feature to search documents via Xpath or CSS3 selectors.
  • json: provides JSON parsing logic.

To install WPScan we need to type in the following:

# tar xvzf wpscanteam-wpscan-39d8cdd.tar.gz

# cd wpscanteam-wpscan-39d8cdd

If we’re using Backtrack Linux version 5, the WPScan is already installed and present in the directory /pentest/web/wpscan/.

The WPScan help page provides us with the following information:

# ruby wpscan.rb -h

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

Help :

Some values are settable in conf/browser.conf.json :

user-agent, proxy, threads, cache timeout and request timeout

–update Update to the latest revision

–url | -u <target url> The WordPress URL/domain to scan.

–force | -f Forces WPScan to not check if the remote site is running WordPress.

–enumerate | -e [option(s)] Enumeration.

option :

u usernames from id 1 to 10

u[10-20] usernames from id 10 to 20 (you must write [] chars)

p plugins

p! only vulnerable plugins

t timthumbs

Multiple values are allowed : ‘-e tp’ will enumerate timthumbs and plugins

If no option is supplied, the default is ‘tup!’

–follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not

–wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed

–wp-plugins-dir <wp plugins dir> Same thing than –wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

–proxy Supply a proxy in the format host:port (will override the one from conf/browser.conf.json)

–wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.

–threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)

–username | -U <username> Only brute force the supplied username.

–help | -h This help screen.

–verbose | -v Verbose output.

I guess it’s best to first run the –update command to make sure that we’re using the latest version of WPScan:

# ruby wpscan.rb –update

2.1. WPScan features

In this subsection we’ll describe the features of WPScan and the appropriate commands we need to run to invoke the desired functionality.

WordPress Confirmation

This is the default behavior that is automatically being checked whenever we run the wpscan.rb script. If the target website isn’t running WordPress there’s no point to actually run a number of tests against it. To disable this feature we can use the –force option when running the wpscan.rb script, like this:

# ruby wpscan.rb –url resources.infosecinstitute.com –force

Username enumeration

We can enumerate users by using the following command:

# ruby wpscan.rb –url resources.infosecinstitute.com –enumerate u –threads 1

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

| URL: http://resources.infosecinstitute.com

| Started on Mon Aug 13 22:04:54 2012

[!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2

[!] The WordPress ‘http://resources.infosecinstitute.com/readme.html’ file exists

[!] Full Path Disclosure (FPD) in ‘http://resources.infosecinstitute.com/wp-includes/rss-functions.php’

[!] WordPress version 3.4.1 identified from meta generator

[+] Enumerating plugins from passive detection … 2 found :

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

[+] Enumerating usernames …

We found the following 10 username/s :

root

keatron

jack

ddalasta

Nick Valenteen

Dan Hestad

Tim Farley

kenneth

dinesh-mistry

Jeremy Martin

[+] Finished at Mon Aug 13 22:05:13 2012

The WPScan found 10 usernames, namely: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin.

Weak password cracking

The command used to check the usernames against a wordlist of passwords is as follows:

# echo “admin” >> passwords.txt

# ruby wpscan.rb –url resources.infosecinstitute.com –enumerate u –wordlist passwords.txt –threads 50

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

| URL: http://resources.infosecinstitute.com

| Started on Mon Aug 13 21:56:32 2012

[!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2

[!] The WordPress ‘http://resources.infosecinstitute.com/readme.html’ file exists

[!] Full Path Disclosure (FPD) in ‘http://resources.infosecinstitute.com/wp-includes/rss-functions.php’

[!] WordPress version 3.4.1 identified from meta generator

[+] Enumerating plugins from passive detection … 2 found :

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

[+] Enumerating usernames …

We found the following 10 username/s :

root

keatron

jack

ddalasta

Nick Valenteen

Dan Hestad

Tim Farley

kenneth

dinesh-mistry

Jeremy Martin

[+] Starting the password brute forcer

Brute forcing user ‘Jeremy Martin’ with 1 passwords… 100% complete..

[+] Finished at Mon Aug 13 21:57:01 2012

We can see that the WPScan found 10 users: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin, and tried to login with the password admin we previously saved in the filename passwords.txt. This file is being used as an input file that specifies the passwords to be checked. We can also see that the scan was finished before a weak password was detected, which means the WordPress installation is secure as far as weak passwords are concerned.

Version enumeration

The command used to enumerate the version number of a WordPress installation is:

# ruby wpscan.rb –url resources.infosecinstitute.com –enumerate v –threads 1

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

| URL: http://resources.infosecinstitute.com

| Started on Mon Aug 13 22:06:44 2012

[!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2

[!] The WordPress ‘http://resources.infosecinstitute.com/readme.html’ file exists

[!] Full Path Disclosure (FPD) in ‘http://resources.infosecinstitute.com/wp-includes/rss-functions.php’

[!] WordPress version 3.4.1 identified from meta generator

[+] Enumerating plugins from passive detection … 2 found :

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

[+] Finished at Mon Aug 13 22:06:55 2012

The scan completed and found WordPress version 3.4.1.

Plugin enumeration

The command that can identify the presence or absence of WordPress plugins is presented here:

# ruby wpscan.rb –url resources.infosecinstitute.com –enumerate p –threads 50

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

| URL: http://resources.infosecinstitute.com

| Started on Mon Aug 13 22:10:22 2012

[!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2

[!] The WordPress ‘http://resources.infosecinstitute.com/readme.html’ file exists

[!] Full Path Disclosure (FPD) in ‘http://resources.infosecinstitute.com/wp-includes/rss-functions.php’

[!] WordPress version 3.4.1 identified from meta generator

[+] Enumerating plugins from passive detection … 2 found :

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

[+] Enumerating installed plugins …

Checking for 2864 total plugins… 100% complete.

[+] We found 7 plugins:

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Directory listing enabled? Yes.

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

| Directory listing enabled? Yes.

| Name: searchterms-tagging-2

| Location: http://resources.infosecinstitute.com/wp-content/plugins/searchterms-tagging-2/

| Directory listing enabled? Yes.

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/wp-content/plugins/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Directory listing enabled? Yes.

| Name: wp-super-cache

| Location: http://resources.infosecinstitute.com/wp-content/plugins/wp-super-cache/

| Directory listing enabled? Yes.

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/wp-content/plugins/syntaxhighlighter/

| Directory listing enabled? Yes.

| Name: redirection

| Location: http://resources.infosecinstitute.com/wp-content/plugins/redirection/

| Directory listing enabled? Yes.

[+] Finished at Mon Aug 13 22:22:55 2012

We can see that WPScan actually found 5 different plugins, namely upprev-nytimes-style-next-post-jquery-animated-fly-in-button, syntaxhighlighter, searchterms-tagging-2, wp-super-cache and redirection.

  • Vulnerability enumeration
  • Plugin vulnerability enumeration

2.2. The Timthumb Vulnerability

The WPScan also has an option to scan the entire wp-content directory for instances of any outdated and insecure version of the timthumb.php script, which enables us to load images from a predefined set of remote websites for resizing and serving. It provides a caching mechanism, so that WordPress doesn’t have to constantly resize and reserve images. The cache directory is accessible by normal visitors from the Internet. The timthumb.php simply gets a remote file and places it in a root directory accessible to the word wide web. An attacker can persuade the WordPress CMS system to download a PHP shell into the DocumentRoot and access it via some web browser. This effectively gives an attacker a web shell, which he can use to cause further damage to the system.

To check whether the timthumb.php in the WordPress installation is vulnerable we need to input the following command:

# ruby wpscan.rb –url resources.infosecinstitute.com –enumerate t –threads 50

____________________________________________________

__ _______ _____

/ / __ / ____|

/ / /| |__) | (___ ___ __ _ _ __

/ / / | ___/ ___ / __|/ _` | ‘_

/ / | | ____) | (__| (_| | | | |

/ / |_| |_____/ ___|__,_|_| |_| v1.1r425

WordPress Security Scanner by the WPScan Team

Sponsored by the RandomStorm Open Source Initiative

_____________________________________________________

| URL: http://resources.infosecinstitute.com

| Started on Mon Aug 13 22:32:07 2012

[!] The WordPress theme in use is Boulevard_theme/boulevard v1.0.2

[!] The WordPress ‘http://resources.infosecinstitute.com/readme.html’ file exists

[!] Full Path Disclosure (FPD) in ‘http://resources.infosecinstitute.com/wp-includes/rss-functions.php’

[!] WordPress version 3.4.1 identified from meta generator

[+] Enumerating plugins from passive detection … 2 found :

| Name: upprev-nytimes-style-next-post-jquery-animated-fly-in-button

| Location: http://resources.infosecinstitute.com/$wp-plugins$/upprev-nytimes-style-next-post-jquery-animated-fly-in-button/

| Name: syntaxhighlighter

| Location: http://resources.infosecinstitute.com/$wp-plugins$/syntaxhighlighter/

[+] Enumerating timthumb files …

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Checking for 2419 total timthumb files… 100% complete.

No timthumb files found :(

[+] Finished at Mon Aug 13 22:42:07 2012

We can see that the WPScan didn’t find any vulnerable timthumb files, which makes the WordPress installation secure.

There is also a WordPress plugin called Timthumb Vulnerability Scanner accessible at Timthumb which can be used to basically do the same thing.

2.3. Exploit Scanner

Another WordPress plugin called Exploit Scanner is available to download and install. This plugin searches the files and database of our WordPress installation for signs that may indicate that the WordPress was hacked by malicious attackers.

2.4. BlindElephant

BlindElephant is a program that can fingerprint CMS systems. It can detect the CMS type and version and it can fingerprint plugins. The supported CMS systems are: Drupal, Joomla, Liferay, Mediawiki, Moodle, Movabletype, Oscommerce, Phpbb, Phpmyadmin, Phpnuke, Spip, Tikiwiki, Twiki and WordPress. We can see that WordPress is among the supported CMS systems. The command used to fingerprint the WordPress CMS system is the following:

# python BlindElephant.py resources.infosecinstitute.com wordpress

2.5. CMS Explorer

CMS Explorer is basically the same as BlindElephant, but it also supports a feature that is able to search for vulnerabilities on the OSVDB website. CMS Explorer supports only the following CMS systems: Drupal, WordPress, Joomla and Mambo. The command used to fingerprint the WordPress CMS system is the following:

# perl cms-explorer.pl -url resources.infosecinstitute.com -explore -type wordpress -plugins -themes

3. Conclusion

We’ve looked at WordPress enumeration and vulnerability scanning techniques. We’ve also seen that the WPScan tool can be used to find most vulnerabilities in an already running WordPress installation. We need to make sure that we’re running the tool on a constant basis just to be sure that our WordPress installation is still secure.