UPDATE: WPSeku v0.2.1!

Since my initial post about WPSeku was about v0.1.0, an updated was made by the author and a new version was released. This post is an attempt at mentioning the changes made to the tool.

What is WPSeku?

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

This seems to be a major code rewrite and a few options have also changed. The tool looks a lot more polished now. My sample scan returned the following results:

python wpseku.py -t http://external-target.com
__        ______  ____       _          
\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - WordPress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku

[+] Target: http://external-target.com
[+] Starting: 30/06/2017 13:14:11


[*] Checking sitemap...
[-] sitemap.xml not available
[*] Checking license...
[-] license.txt not available
[*] Checking robots...
[+] robots.txt available under: http://external-target.com/robots.txt

# http://www.external-target.com
#

User-agent: *

Allow: /wp-content/uploads

Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
 
User-agent: Mediapartners-Google Allow: /
 
User-agent: Adsbot-Google Allow: /
 
User-agent: Googlebot-Image Allow: /
 
User-agent: Googlebot-Mobile Allow: /
 
Sitemap: http://www.external-target.com/sitemap_index.xml


[*] Checking crossdomain...
[+] crossdomain.xml available under: http://external-target.com/crossdomain.xml
[*] Checking readme...
[-] readme.html not available
[*] Checking .htaccess...
[-] .htaccess not available
[*] Checking xmlrpc...
[+] XML-RPC Interface available under: http://external-target.com/xmlrpc.php
[*] Checking Full Path Disclosure...
[-] Full Path Disclosure not available
[*] Checking wp-config...
[-] wp-config not available
[*] Checking wp-config-sample...
[-] wp-config-sample not available
[*] Checking wp-config backup...
[-] wp-config.php~ backup not available
[-] wp-config.backup backup not available
[-] wp-config.bck backup not available
[-] wp-config.old backup not available
[-] wp-config.save backup not available
[-] wp-config.bak backup not available
[-] wp-config.copy backup not available
[-] wp-config.tmp backup not available
[-] wp-config.txt backup not available
[-] wp-config.zip backup not available
[-] wp-config.db backup not available
[-] wp-config.dat backup not available
[-] wp-config.tar.gz backup not available
[-] wp-config.back backup not available
[-] wp-config.test backup not available
[-] wp-config.temp backup not available
[-] wp-config.orig backup not available
[*] Checking dir listing...
[-] dir /wp-admin not listing enabled
[-] dir /wp-includes not listing enabled
[-] dir /wp-content/uploads not listing enabled
[-] dir /wp-content/plugins not listing enabled
[-] dir /wp-content/themes not listing enabled
[*] Interesting headers...

Connection: close
Content-Type: text/html; charset=UTF-8
Date: Fri, 30 Jun 2017 20:14:25 GMT
Last-Modified: Fri, 30 Jun 2017 20:14:25 GMT
Server: nginx/1.4.6 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.5.9-1ubuntu4.21
X-XSS-Protection: 1; mode=block

[*] Checking WAF...
[*] Checking wp-login protection...
[+] wp-login not detect protection
[*] Checking wordpress version...
[+] Running WordPress version: 4.8

 | Not found vulnerabilities

[*] Enumeration themes...

 | Name: canvas
 | Theme Name: Canvas
 | Theme URL: http://www.woothemes.com/
 | Author: WooThemes
 | Author URL: http://www.woothemes.com/
 | Version: 5.9.17
 | Style: http://external-target.com/wp-content/themes/canvas/style.css
 | Changelog: http://external-target.com/wp-content/themes/canvas/changelog.txt
 | License: http://external-target.com/wp-content/themes/canvas/license.txt
 | Not found vulnerabilities

[*] Enumeration plugins...

 | Name: social-warfare - 2.2.7
 | Readme: http://external-target.com/wp-content/plugins/social-warfare/readme.txt
 | Readme: http://external-target.com/wp-content/plugins/social-warfare/README.md
 | Not found vulnerabilities

 | Name: crayon-syntax-highlighter - None
 | Readme: http://external-target.com/wp-content/plugins/crayon-syntax-highlighter/readme.txt

 | Title: Crayon Syntax Highlighter <= 1.12 - Remote File Inclusion
 | Reference: http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/
 | Fixed in: 1.13

 | Title: Crayon Syntax Highlighter <= 2.6.10 - Local File Disclosure
 | Reference: http://www.kevinsubileau.fr/informatique/hacking-securite/crayon-syntax-highlighter-local-file-disclosure-vulnerability.html
 | Fixed in: 2.7.0

 | Title: Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement
 | Reference: https://research.g0blin.co.uk/g0blin-00044/
 | Fixed in: 2.7.0

[*] Enumeration usernames...
 | Not found usernames

This versions tries to do a lot of things. WPSeku gets the WordPress version from the following resources:

• wp-links-opml.php
• feed
• /feed/atom
• /feed/rdf
• /comments/feed
• readme.html
• meta name=”generator

Based on the existence of related directories, cookies and server response, WPSeku also now detects the following firewalls and security plugins:

• Wordfence Security
• BulletProof Security
• Sucuri Security
• Better WP Security
• Acunetix WP SecurityScan
• All In One WP Security & Firewall
• 6Scan Security
• CloudFlare

It also checks for a WordPress full path disclosure vulnerability based on /wp-includes/rss-functions.php and existence of the crossdomain.xml file. As the sample output has already shown, wp-config backups with the following extensions are also checked for – .php~, .backup, .bck, .old, .save, .bak, .copy, .tmp, .txt, .zip, .db, .dat, .tar.gz, .back, .test, .temp, .orig. The main vulnerability co-relation is done using the robust WPScan Vulnerability Database API.

I like this update! However, the tool should first detect if the site uses WordPress or not. For example, these are the results of scanme.nmap.org:

python wpseku.py -t http://scanme.nmap.org/
__        ______  ____       _          
\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - WordPress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku

[+] Target: http://scanme.nmap.org
[+] Starting: 30/06/2017 13:12:13


[*] Checking sitemap...
[-] sitemap.xml not available
[*] Checking license...
[-] license.txt not available
[*] Checking robots...
[*] Checking crossdomain...
[-] crossdomain.xml not available
[*] Checking readme...
[-] readme.html not available
[*] Checking .htaccess...
[-] .htaccess not available
[*] Checking xmlrpc...
[-] XML-RPC not available
[*] Checking Full Path Disclosure...
[-] Full Path Disclosure not available
[*] Checking wp-config...
[-] wp-config not available
[*] Checking wp-config-sample...
[-] wp-config-sample not available
[*] Checking wp-config backup...
[-] wp-config.php~ backup not available
[-] wp-config.backup backup not available
[-] wp-config.bck backup not available
[-] wp-config.old backup not available
[-] wp-config.save backup not available
[-] wp-config.bak backup not available
[-] wp-config.copy backup not available
[-] wp-config.tmp backup not available
[-] wp-config.txt backup not available
[-] wp-config.zip backup not available
[-] wp-config.db backup not available
[-] wp-config.dat backup not available
[-] wp-config.tar.gz backup not available
[-] wp-config.back backup not available
[-] wp-config.test backup not available
[-] wp-config.temp backup not available
[-] wp-config.orig backup not available
[*] Checking dir listing...
[-] dir /wp-admin not listing enabled
[-] dir /wp-includes not listing enabled
[-] dir /wp-content/uploads not listing enabled
[-] dir /wp-content/plugins not listing enabled
[-] dir /wp-content/themes not listing enabled
[*] Interesting headers...

Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Date: Fri, 30 Jun 2017 20:12:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Vary: Accept-Encoding

[*] Checking WAF...
[*] Checking wp-login protection...
[-] wp-login detect protection
[*] Checking wordpress version...
[*] Enumeration themes...
 | Not found themes
[*] Enumeration plugins...
[*] Enumeration usernames...
 | Not found usernames

It would be easier to remain stealthier and not raise suspicious flags by verifying if WordPress is installed or not. Another suggestion is to avoid using json in the requirements file to avoid this message:

Collecting json (from -r requirements.txt (line 4))
  Downloading json-99.0.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "", line 1, in 
      File "/tmp/pip-build-XfuD9K/json/setup.py", line 2, in 
        raise RuntimeError("Package 'json' must not be downloaded from pypi")
    RuntimeError: Package 'json' must not be downloaded from pypi

Download WPSeku:

WPSeku v0.2.1 can be checked out from here. Incase you already have it cloned, simply performing a git pull will set you up.