Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a scan of the php-everywhere plug-in for wpscan #1715

Closed
WAY29 opened this issue Mar 7, 2022 · 3 comments
Closed

Adding a scan of the php-everywhere plug-in for wpscan #1715

WAY29 opened this issue Mar 7, 2022 · 3 comments

Comments

@WAY29
Copy link

WAY29 commented Mar 7, 2022

Is your feature request related to a problem? Please describe.
wpscan now can't scan php-everywhere plugins but the plugin has vulnerabilities that can lead to code execution

Describe the solution you'd like
Adding a scan of the php-everywhere plugin for wpscan

Describe alternatives you've considered

Additional context
Reference:
@erwanlr
Copy link
Member

erwanlr commented Mar 7, 2022

We have those vulnerabilities: https://wpscan.com/plugin/php-everywhere

What command are you running and which output do you get ?

@WAY29
Copy link
Author

WAY29 commented Mar 7, 2022

docker run -it --rm wpscanteam/wpscan --url http://d3wordpress.d3ctf-challenge.n3ko.co --api-token [secret]

     __          _______   _____
     \ \        / /  __ \ / ____|
      \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
       \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
        \  /\  /  | |     ____) | (__| (_| | | | |
         \/  \/   |_|    |_____/ \___|\__,_|_| |_|

     WordPress Security Scanner by the WPScan Team
                     Version 3.8.21
   Sponsored by Automattic - https://automattic.com/
   @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: http://d3wordpress.d3ctf-challenge.n3ko.co/ [118.180.56.203]
[+] Started: Sat Mar 5 04:35:08 2022

Interesting Finding(s):

[+] Headers
| Interesting Entries:
| - Ali-Swift-Global-Savetime: 1646454901
| - Eagleid: 76b4381916464549009527198e
| - Proxy-Connection: keep-alive
| - Server: Tengine
| - Timing-Allow-Origin: *
| - Via: cache1.l2cn3044[254,254,200-0,M], cache5.l2cn3044[256,0], kunlun9.cn1593[269,269,200-0,M], kunlun5.cn1593[272,0]
| - X-Powered-By: PHP/8.0.15
| - X-Swift-Cachetime: 0
| - X-Swift-Savetime: Sat, 05 Mar 2022 04:35:01 GMT
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://d3wordpress.d3ctf-challenge.n3ko.co/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://d3wordpress.d3ctf-challenge.n3ko.co/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] A backup directory has been found: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/backup-db/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 70%
| Reference: #422

[+] This site has 'Must Use Plugins': http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/mu-plugins/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 80%
| Reference: http://codex.wordpress.org/Must_Use_Plugins

[+] The external WP-Cron seems to be enabled: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - #1299

[+] WordPress version 5.9.1 identified (Latest, released on 2022-02-22).
| Found By: Rss Generator (Passive Detection)
| - http://d3wordpress.d3ctf-challenge.n3ko.co/?feed=rss2, https://wordpress.org/?v=5.9.1
| - http://d3wordpress.d3ctf-challenge.n3ko.co/?feed=comments-rss2, https://wordpress.org/?v=5.9.1

[+] WordPress theme in use: twentytwentytwo
| Location: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/themes/twentytwentytwo/
| Last Updated: 2022-02-25T00:00:00.000Z
| Readme: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.1
| Style URL: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/themes/twentytwentytwo/style.css?ver=1.0
| Style Name: Twenty Twenty-Two
| Style URI: https://github.com/wordpress/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/themes/twentytwentytwo/style.css?ver=1.0, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] userswp
| Location: http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/plugins/userswp/
| Latest Version: 1.2.3.2 (up to date)
| Last Updated: 2022-02-02T16:38:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.2.3.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/plugins/userswp/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://d3wordpress.d3ctf-challenge.n3ko.co/wp-content/plugins/userswp/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:40 <============================================================================================================================> (137 / 137) 100.00% Time: 00:00:40

[i] No Config Backups Found.

[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 22

[+] Finished: Sat Mar 5 04:36:05 2022
[+] Requests Done: 177
[+] Cached Requests: 7
[+] Data Sent: 72.521 KB
[+] Data Received: 687.729 KB
[+] Memory used: 292.746 MB
[+] Elapsed time: 00:00:57

Could it be that my visit to /wp-content/plugins/everywhere/ returns a 403 status code and wpscan doesn't show it?

@erwanlr
Copy link
Member

erwanlr commented Mar 7, 2022

[+] Enumerating All Plugins (via Passive Methods)

By default it will do passive enumeration (such as checking the homepage etc). If the plugin is not disclosed there, then it won't appear in the results.

You need to play with the --plugins-detection and --enumeration option. See wpscan --hh

@erwanlr erwanlr closed this as completed Mar 7, 2022
This was referenced Nov 27, 2023
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Apr 15, 2024
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced May 13, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@nhocbotmn nhocbotmn mentioned this issue May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erwanlr @WAY29