wpscan wordpress 漏洞扫描

Wpscan发出的HTTP请求

Posted onCategories技术文章

WPScan 是一个基于 Ruby 的Wordpress 漏洞扫描工具。本文不介绍各种安装步骤,重点看下 WPScan 发了哪些 HTTP 请求,从中可以得到什么启示。

对本站运行下面命令

ruby wpscan.rb –url https://blog.54zxy.com

得到类似以下结果

 "GET / HTTP/1.1" 200 
 "GET / HTTP/1.1" 200 
    不知出于什么目的对首页请求了两次 
 "GET /wp-content/plugins HTTP/1.1" 301 
    这个就是看你的服务器是不是允许列出文件夹内容 
 "GET /readme.html HTTP/1.1" 404 
    嗅探有没有说明文件,从中获取软件信息 
 "GET /wp-includes/rss-functions.php HTTP/1.1" 500 
    这个暴力,直接请求 WordPress 核心文件,还暴露了 500 错误 
 "GET /wp-content/debug.log HTTP/1.1" 404 
    这个就是碰运气,有没傻子留调试文件 
 "GET /wp-config.php.swo HTTP/1.1" 404 
 "GET /wp-config.original HTTP/1.1" 404 
 "GET /wp-config.php.save HTTP/1.1" 404 
 "GET /wp-config.php.swp HTTP/1.1" 404 
 "GET /wp-config.php.original HTTP/1.1" 404 
 "GET /wp-config.txt HTTP/1.1" 404 
 "GET /wp-config.php.orig HTTP/1.1" 404 
 "GET /wp-config.old HTTP/1.1" 404 
 "GET /wp-config.bak HTTP/1.1" 404 
 "GET /wp-config.save HTTP/1.1" 404 
 "GET /wp-config.php.old HTTP/1.1" 404 
 "GET /wp-config.php.bak HTTP/1.1" 404 
 "GET /wp-config.php_bak HTTP/1.1" 404 
 "GET /wp-config.php%7E HTTP/1.1" 404 
 "GET /%23wp-config.php%23 HTTP/1.1" 404 
 "GET /.wp-config.php.swp HTTP/1.1" 404 
 "GET /wp-config.orig HTTP/1.1" 404 
    用心及其险恶,各种试探配置文件的备份。
    如果开发者不小心用 vim 之类的软件编辑并没有正常退出,很容易就把数据库密码暴露出去了。 
 "HEAD / HTTP/1.1" 200 
 "GET /wp-signup.php HTTP/1.1" 302 
 "GET /wp-content/mu-plugins/ HTTP/1.1" 404 
    试探网站是不是启用 must use plugin
 "GET /wp-login.php?action=register HTTP/1.1" 302 
 "GET /xmlrpc.php HTTP/1.1" 405 53 
 "GET /wp-content/uploads/ HTTP/1.1" 403 
    试图列出上传目录。一般都会在服务器配置不显示。
 "GET /wp-includes/ HTTP/1.1" 403 
 "GET /wp-includes/js/wp-api.min.js HTTP/1.1" 200 
 "GET /wp-includes/css/buttons-rtl.css HTTP/1.1" 200 
 "GET /wp-includes/css/editor.min.css HTTP/1.1" 200 
 "GET /wp-includes/js/wp-emoji-loader.min.js HTTP/1.1" 200 
 "GET /wp-includes/js/mediaelement/mediaelement-and-player.min.js HTTP/1.1" 200 
 "GET /wp-includes/js/tinymce/wp-tinymce.js.gz HTTP/1.1" 200 
 "GET /wp-admin/js/customize-nav-menus.min.js HTTP/1.1" 200 
 "GET /wp-admin/js/customize-controls.js HTTP/1.1" 200 
 "GET /wp-includes/js/customize-preview.js HTTP/1.1" 200 
 "GET /wp-includes/js/plupload/plupload.js HTTP/1.1" 404 
 "GET /wp-admin/js/common.js HTTP/1.1" 200 
 "GET /wp-admin/js/wp-fullscreen.js HTTP/1.1" 404 
 "GET /wp-includes/css/admin-bar.css HTTP/1.1" 200 
 "GET /wp-content/themes/twentyten/style.css HTTP/1.1" 404 
    这个是完全按照字典去猜测,我早就把预装主题删除了。
 "GET /wp-content/plugins/akismet/readme.txt HTTP/1.1" 301 
 "GET /wp-includes/js/wp-ajax-response.js HTTP/1.1" 200 
 "GET /wp-includes/js/thickbox/thickbox.css HTTP/1.1" 200 
 "GET /wp-includes/js/tinymce/plugins/wpeditimage/editor_plugin.js HTTP/1.1" 404 
 "GET /wp-includes/js/tinymce/themes/advanced/js/image.js HTTP/1.1" 404 
 "GET /wp-includes/js/tinymce/themes/advanced/js/link.js HTTP/1.1" 404 
 "GET /wp-includes/js/wp-ajax.js HTTP/1.1" 404 
 "GET /wp-content/themes/default/style.css HTTP/1.1" 404 
 "GET /wp-layout.css HTTP/1.1" 404 
 "GET /layout2b.css HTTP/1.1" 404 
 "GET /feed/ HTTP/1.1" 200 
 "GET /feed/rdf/ HTTP/1.1" 200 
 "GET /feed/atom/ HTTP/1.1" 200 
 "GET /readme.html HTTP/1.1" 404 
 "GET /sitemap.xml HTTP/1.1" 301  
 "GET /sitemap_index.xml HTTP/1.1" 200 
    从网站地图里获取链接信息。
 "GET /wp-links-opml.php HTTP/1.1" 200 
 "GET /wp-content/plugins/wp-super-cache/readme.txt HTTP/1.1" 301 
 "GET /wp-content/plugins/wp-super-cache/README.txt HTTP/1.1" 301  
 "GET /wp-content/plugins/wp-super-cache/Readme.txt HTTP/1.1" 301 
 "GET /wp-content/plugins/wp-super-cache/ReadMe.txt HTTP/1.1" 301 
 "GET /wp-content/plugins/wp-super-cache/README.TXT HTTP/1.1" 301 
 "GET /wp-content/plugins/wp-super-cache/readme.TXT HTTP/1.1" 301 
    各种猜测你的网站可能有的说明文本。
 "GET /wp-content/plugins/wp-super-cache/changelog.txt HTTP/1.1" 301
 "GET /wp-content/plugins/wp-super-cache/ HTTP/1.1" 403
 "GET /wp-content/plugins/wp-super-cache/error_log HTTP/1.1" 301 

看完这个单子,对建设基本的安全意识还有很有用的。至少可以把 WPScan 当个 QA 工具
– 没必要的readme,changelog应该全部从网站删除。
– 常见编辑器的临时文件(swp, bak等)一定要从网站删除。
– 确保 web 服务器的 directory listing 是关闭的。

当然 WPScan 还有很多其他参数,参数不同获取的 HTTP 请求也是不一样的。可以多试试来系统学习他背后的逻辑。

传送门:Wpscan在线测试工具

发表评论

电子邮件地址不会被公开。 必填项已用*标注