• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Google Dorks
  • Shodan Queries
  • Malware Sources
  • Privacy Policy

PenTestIT

Your source for all things Information Security!

You are here: Home / Tools / Tool Updates / UPDATE: WPSeku v0.2.1!

UPDATE: WPSeku v0.2.1!

Posted: 2 years ago by @pentestit 2778 views
Updated: July 1, 2017 at 2:45 am

Since my initial post about WPSeku was about v0.1.0, an updated was made by the author and a new version was released. This post is an attempt at mentioning the changes made to the tool.
WPSeku

What is WPSeku?

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

This seems to be a major code rewrite and a few options have also changed. The tool looks a lot more polished now. My sample scan returned the following results:

python wpseku.py -t http://external-target.com
__        ______  ____       _          
\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - WordPress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku

[+] Target: http://external-target.com
[+] Starting: 30/06/2017 13:14:11


[*] Checking sitemap...
[-] sitemap.xml not available
[*] Checking license...
[-] license.txt not available
[*] Checking robots...
[+] robots.txt available under: http://external-target.com/robots.txt

# http://www.external-target.com
#

User-agent: *

Allow: /wp-content/uploads

Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
 
User-agent: Mediapartners-Google Allow: /
 
User-agent: Adsbot-Google Allow: /
 
User-agent: Googlebot-Image Allow: /
 
User-agent: Googlebot-Mobile Allow: /
 
Sitemap: http://www.external-target.com/sitemap_index.xml


[*] Checking crossdomain...
[+] crossdomain.xml available under: http://external-target.com/crossdomain.xml
[*] Checking readme...
[-] readme.html not available
[*] Checking .htaccess...
[-] .htaccess not available
[*] Checking xmlrpc...
[+] XML-RPC Interface available under: http://external-target.com/xmlrpc.php
[*] Checking Full Path Disclosure...
[-] Full Path Disclosure not available
[*] Checking wp-config...
[-] wp-config not available
[*] Checking wp-config-sample...
[-] wp-config-sample not available
[*] Checking wp-config backup...
[-] wp-config.php~ backup not available
[-] wp-config.backup backup not available
[-] wp-config.bck backup not available
[-] wp-config.old backup not available
[-] wp-config.save backup not available
[-] wp-config.bak backup not available
[-] wp-config.copy backup not available
[-] wp-config.tmp backup not available
[-] wp-config.txt backup not available
[-] wp-config.zip backup not available
[-] wp-config.db backup not available
[-] wp-config.dat backup not available
[-] wp-config.tar.gz backup not available
[-] wp-config.back backup not available
[-] wp-config.test backup not available
[-] wp-config.temp backup not available
[-] wp-config.orig backup not available
[*] Checking dir listing...
[-] dir /wp-admin not listing enabled
[-] dir /wp-includes not listing enabled
[-] dir /wp-content/uploads not listing enabled
[-] dir /wp-content/plugins not listing enabled
[-] dir /wp-content/themes not listing enabled
[*] Interesting headers...

Connection: close
Content-Type: text/html; charset=UTF-8
Date: Fri, 30 Jun 2017 20:14:25 GMT
Last-Modified: Fri, 30 Jun 2017 20:14:25 GMT
Server: nginx/1.4.6 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/5.5.9-1ubuntu4.21
X-XSS-Protection: 1; mode=block

[*] Checking WAF...
[*] Checking wp-login protection...
[+] wp-login not detect protection
[*] Checking wordpress version...
[+] Running WordPress version: 4.8

 | Not found vulnerabilities

[*] Enumeration themes...

 | Name: canvas
 | Theme Name: Canvas
 | Theme URL: http://www.woothemes.com/
 | Author: WooThemes
 | Author URL: http://www.woothemes.com/
 | Version: 5.9.17
 | Style: http://external-target.com/wp-content/themes/canvas/style.css
 | Changelog: http://external-target.com/wp-content/themes/canvas/changelog.txt
 | License: http://external-target.com/wp-content/themes/canvas/license.txt
 | Not found vulnerabilities

[*] Enumeration plugins...

 | Name: social-warfare - 2.2.7
 | Readme: http://external-target.com/wp-content/plugins/social-warfare/readme.txt
 | Readme: http://external-target.com/wp-content/plugins/social-warfare/README.md
 | Not found vulnerabilities

 | Name: crayon-syntax-highlighter - None
 | Readme: http://external-target.com/wp-content/plugins/crayon-syntax-highlighter/readme.txt

 | Title: Crayon Syntax Highlighter <= 1.12 - Remote File Inclusion
 | Reference: http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/
 | Fixed in: 1.13

 | Title: Crayon Syntax Highlighter <= 2.6.10 - Local File Disclosure
 | Reference: http://www.kevinsubileau.fr/informatique/hacking-securite/crayon-syntax-highlighter-local-file-disclosure-vulnerability.html
 | Fixed in: 2.7.0

 | Title: Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement
 | Reference: https://research.g0blin.co.uk/g0blin-00044/
 | Fixed in: 2.7.0

[*] Enumeration usernames...
 | Not found usernames

This versions tries to do a lot of things. WPSeku gets the WordPress version from the following resources:

  • wp-links-opml.php
  • feed
  • /feed/atom
  • /feed/rdf
  • /comments/feed
  • readme.html
  • meta name=”generator

Based on the existence of related directories, cookies and server response, WPSeku also now detects the following firewalls and security plugins:

  • Wordfence Security
  • BulletProof Security
  • Sucuri Security
  • Better WP Security
  • Acunetix WP SecurityScan
  • All In One WP Security & Firewall
  • 6Scan Security
  • CloudFlare

It also checks for a WordPress full path disclosure vulnerability based onĀ /wp-includes/rss-functions.php and existence of the crossdomain.xml file. As the sample output has already shown, wp-config backups with the following extensions are also checked for – .php~, .backup, .bck, .old, .save, .bak, .copy, .tmp, .txt, .zip, .db, .dat, .tar.gz, .back, .test, .temp, .orig. The main vulnerability co-relation is done using the robust WPScan Vulnerability Database API.

I like this update! However, the tool should first detect if the site uses WordPress or not. For example, these are the results of scanme.nmap.org:

python wpseku.py -t http://scanme.nmap.org/
__        ______  ____       _          
\ \      / /  _ \/ ___|  ___| | ___   _ 
 \ \ /\ / /| |_) \___ \ / _ \ |/ / | | |
  \ V  V / |  __/ ___) |  __/   <| |_| |
   \_/\_/  |_|   |____/ \___|_|\_\\__,_|
                                         
|| WPSeku - WordPress Security Scanner   
|| Version 0.2.1                         
|| Momo Outaadi (M4ll0k)                 
|| https://github.com/m4ll0k/WPSeku

[+] Target: http://scanme.nmap.org
[+] Starting: 30/06/2017 13:12:13


[*] Checking sitemap...
[-] sitemap.xml not available
[*] Checking license...
[-] license.txt not available
[*] Checking robots...
[*] Checking crossdomain...
[-] crossdomain.xml not available
[*] Checking readme...
[-] readme.html not available
[*] Checking .htaccess...
[-] .htaccess not available
[*] Checking xmlrpc...
[-] XML-RPC not available
[*] Checking Full Path Disclosure...
[-] Full Path Disclosure not available
[*] Checking wp-config...
[-] wp-config not available
[*] Checking wp-config-sample...
[-] wp-config-sample not available
[*] Checking wp-config backup...
[-] wp-config.php~ backup not available
[-] wp-config.backup backup not available
[-] wp-config.bck backup not available
[-] wp-config.old backup not available
[-] wp-config.save backup not available
[-] wp-config.bak backup not available
[-] wp-config.copy backup not available
[-] wp-config.tmp backup not available
[-] wp-config.txt backup not available
[-] wp-config.zip backup not available
[-] wp-config.db backup not available
[-] wp-config.dat backup not available
[-] wp-config.tar.gz backup not available
[-] wp-config.back backup not available
[-] wp-config.test backup not available
[-] wp-config.temp backup not available
[-] wp-config.orig backup not available
[*] Checking dir listing...
[-] dir /wp-admin not listing enabled
[-] dir /wp-includes not listing enabled
[-] dir /wp-content/uploads not listing enabled
[-] dir /wp-content/plugins not listing enabled
[-] dir /wp-content/themes not listing enabled
[*] Interesting headers...

Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Date: Fri, 30 Jun 2017 20:12:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Transfer-Encoding: chunked
Vary: Accept-Encoding

[*] Checking WAF...
[*] Checking wp-login protection...
[-] wp-login detect protection
[*] Checking wordpress version...
[*] Enumeration themes...
 | Not found themes
[*] Enumeration plugins...
[*] Enumeration usernames...
 | Not found usernames

It would be easier to remain stealthier and not raise suspicious flags by verifying if WordPress is installed or not. Another suggestion is to avoid using json in the requirements file to avoid this message:

Collecting json (from -r requirements.txt (line 4))
  Downloading json-99.0.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "", line 1, in 
      File "/tmp/pip-build-XfuD9K/json/setup.py", line 2, in 
        raise RuntimeError("Package 'json' must not be downloaded from pypi")
    RuntimeError: Package 'json' must not be downloaded from pypi

Download WPSeku:

WPSeku v0.2.1 can be checked out from here. Incase you already have it cloned, simply performing a git pull will set you up.

Share this post on:
witteracebookhatsAppoogle+ufferLinkedin It

Related Posts on PenTestIT:

  • identYwaf: A Tool to Help You Identify Web Application Firewalls
  • XSStrike 3.1.2UPDATE: XSStrike 3.1.2
  • UPDATED VERSION: RouterSploit 3.4.0UPDATED VERSION: RouterSploit 3.4.0
  • RouterSploit 3.3.0UPDATED VERSION: RouterSploit 3.3.0

Filed Under: Open Source, Penetration Testing, Tool Updates, Vulnerability Assessment, Web Application Security Tagged With: Cross-Site Scripting, Local File Inclusion, SQL injection, Web Application Security, WordPress, WPSeku

Reader Interactions

Primary Sidebar

Recent Posts

  • UPDATE: Buscador Version 2.0
  • BEEMKA: Basic Electron Post-Exploitation Framework
  • UPDATE: Cameradar v3.0.1
  • identYwaf: A Tool to Help You Identify Web Application Firewalls
  • UPDATE: XSStrike 3.1.2

Featured Post

UPDATE: Buscador Version 2.0

February 1, 2019 By Black

I briefly mentioned about Buscador in my previous post titled – List of Operating Systems for OSINT (Open-Source Intelligence). A few days ago, an updated – Buscador Version 2.0 was made available by the author. This post is about the changes made in the latest version. Share this post on: witteracebookhatsAppoogle+ufferLinkedin It

Secondary Sidebar

Categories

  • Docker Security
  • Fuzzing
  • Malware Analysis
  • Open Source
  • OSINT
  • Penetration Testing
  • Reverse Engineering
  • Site News
  • Tool Updates
  • Tools
  • Uncategorized
  • Vulnerability Assessment
  • Web Application Security
  • Wireless

Archives

  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017

Tags

Anchore APT2 Brute Force CloudFlare Cross-Site Scripting Cuckoo Sandbox DataSploit docker docker scan dockerscan FOCA Kali Linux malware malware analysis man-in-the-middle Metadata Metasploit Microsoft Windows MicroSploit Nmap open source OSINT OSRFramework OWASP OWASP Dependency-Check penetration testing penetration testing toolkit PowerShell PowerSploit python Raspberry Pi RedSnarf Responder reverse engineering Shodan Short Post software composition analysis SQL injection Sysdig Falco vulnerability assessment Web Application Security WiFi Wireshark WordPress WPXF

Copyright © 2019 - PenTestIT | Information shared to be used for LEGAL purposes only!