Updated WPScan Documentation (markdown)
Ryan Dewhurst
@@ -1,73 +0,0 @@
|
||||
# WPScan User Documentation - DRAFT - OUTDATED
|
||||
|
||||
## Introduction
|
||||
What WPScan is, where to find info...
|
||||
|
||||
### Main files
|
||||
|
||||
* wpscan.rb - Main file to run WPScan.
|
||||
* wpstools.rb - ...
|
||||
* generate_rdoc.sh - Generate the rdocs.
|
||||
* conf/browser.conf.json - Configuration file for WPScan.
|
||||
|
||||
## Information Gathering
|
||||
|
||||
### Find Common Files
|
||||
* readme.html - description
|
||||
* debug.log - description
|
||||
* error_log - description
|
||||
* robots.txt - description
|
||||
* changelog.txt - description
|
||||
|
||||
### Vulnerabilities
|
||||
* Full Path Disclosure (FPD) - https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/modules/wp_full_path_disclosure.rb
|
||||
* Directory Listing - what is it? how to remediate?
|
||||
|
||||
### WordPress Version
|
||||
* From Generator HTML meta tag
|
||||
* From RSS Feeds
|
||||
* From readme.html file
|
||||
* From advanced detection
|
||||
|
||||
### XML-RPC Detection
|
||||
What is it? why a problem? how to remediate?
|
||||
|
||||
### WordPress Folder Detection
|
||||
* plugins - description
|
||||
* wp-content - description
|
||||
|
||||
### Login Protection Detection
|
||||
https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/modules/wp_login_protection.rb
|
||||
|
||||
### Configuration File Backup
|
||||
https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/modules/wp_config_backup.rb
|
||||
|
||||
### Malware Detection
|
||||
https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/modules/malwares.rb
|
||||
|
||||
### Registration Enabled
|
||||
|
||||
### Multisite Enabled
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Passive
|
||||
From HTML source code (https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/wp_detector.rb)
|
||||
|
||||
### Active
|
||||
From directory brute forcing
|
||||
|
||||
### Types
|
||||
|
||||
* Plugins - How?
|
||||
* Themes - How?
|
||||
* Users - How?
|
||||
* Timthumbs - what is timthumbs....
|
||||
|
||||
## Other features
|
||||
|
||||
### Login Bruteforce
|
||||
|
||||
How to use it?
|
||||
|
||||
https://github.com/wpscanteam/wpscan/blob/master/lib/wpscan/modules/brute_force.rb
|
||||
62
WPScan-User-Documentation.md
Normal file
62
WPScan-User-Documentation.md
Normal file
@@ -0,0 +1,62 @@
|
||||
# WPScan User Documentation
|
||||
|
||||
## Introduction
|
||||
|
||||
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
|
||||
|
||||
## Enumeration Modes
|
||||
|
||||
When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are:
|
||||
|
||||
- passive
|
||||
- aggressive
|
||||
- mixed
|
||||
|
||||
If you want the most results use the "mixed" mode. However, if you are worried that the server may not be able to handle a large number of requests, use the "passive" mode. The default mode is "mixed", with the exception of plugin enumeration, which is "passive". You will need to manually override the plugin detection mode, if you want to use anything other than the default, with the "--plugins-detection" option.
|
||||
|
||||
## Enumeration Options
|
||||
|
||||
WPScan can enumerate various things from a remote WordPress applcation, such as plugins, themes, usernames, backed up files wp-config.php files, Timthumb files, database exports and more. To use WPScan's enumeration capabilities supply the `-e` option.
|
||||
|
||||
The following enumeration options exist:
|
||||
|
||||
- `vp` (Vulnerable plugins)
|
||||
- `ap` (All plugins)
|
||||
- `p` (Popular plugins)
|
||||
- `vt` (Vulnerable themes)
|
||||
- `at` (All themes)
|
||||
- `t` (Popular themes)
|
||||
- `tt` (Timthumbs)
|
||||
- `cb` (Config backups)
|
||||
- `dbe` (Db exports)
|
||||
- `u` (User IDs range. e.g: u1-5)
|
||||
- `m` (Media IDs range. e.g m1-15)
|
||||
|
||||
If no option is supplied to the `-e` flag, then the default will be: `vp,vt,tt,cb,dbe,u,m`
|
||||
|
||||
|
||||
## Cheat Sheet
|
||||
|
||||
Here we have put together a bunch of common commands that will help you get started quickly.
|
||||
|
||||
_Get your API token from [wpvulndb.com](https://wpvulndb.com/) if you also want the vulnerabilities associated with the detected plugin displaying._
|
||||
|
||||
- For all plugins with known vulnerabilities:
|
||||
|
||||
`wpscan --url example.com -e vp --plugins-detection mixed --api-token YOUR_TOKEN`
|
||||
|
||||
- For all plugins in our database (could take a very long time):
|
||||
|
||||
`wpscan --url example.com -e ap --plugins-detection mixed --api-token YOUR_TOKEN`
|
||||
|
||||
- Password brute force attack
|
||||
|
||||
`wpscan --url example.com -e u --passwords /path/to/password_file.txt`
|
||||
|
||||
## Bypassing Simple WAFs
|
||||
|
||||
To bypass some simple WAFs you can try the `--random-user-agent` option.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
If WPScan is not working as expected, you can use the `--proxy` option, and use a web proxy to inspect WPScan's HTTP requests, and the remote server's HTTP responses. This is useful when you do not know why you are getting false positives, or false negatives.
|
||||
Reference in New Issue
Block a user