http://vipscu.blog.163.com/blog/static/18180837220122139348819/
WPScan 基本功能:
- Wordpress 版本检测和主题检测
- Wordpress 插件安全检测
- 密码的暴力破解
- 可以指定代理
源码获取地址: http://code.google.com/p/wpscan/source/checkout
常用命令:
--urlThe WordPress URL/domain to scan.
--enumerateEnumeration.
uusers
vversion
pplugins
ttimthumb
--wordlistSupply a wordlist for the password bruter and do the brute.
--threadsThe number of threads to use when multi-threading requests.
--usernameOnly brute force the supplied username.
--generate_plugin_listGenerate a new data/plugins.txt file. (supply number of pages to parse)
-hThis help screen.
-vVerbose output.
实例:
ruby ./wpscan.rb --url www.example.com
Do wordlist password brute force on enumerated users using 50 threads...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
Do wordlist password brute force on the 'admin' username only...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
Generate a new 'most popular' plugin list, up to 150 pages...
ruby ./wpscan.rb --generate_plugin_list 150
Enumerate instaled plugins...
ruby ./wpscan.rb --url www.example.com --enumerate p
root@bt:/pentest/web/wpscan# ruby wpscan.rb -h
____________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| v1.1
WordPress Security Scanner by ethicalhack3r.co.uk
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
Help:
--url The WordPress URL/domain to scan.
--enumerate Enumeration.
u users
v version
p plugins
t timthumb
--wordlist Supply a wordlist for the password bruter and do the brute.
--threads The number of threads to use when multi-threading requests.
--username Only brute force the supplied username.
--generate_plugin_list Generate a new data/plugins.txt file. (supply number of *pages* to parse)
--force Forces WPScan to not check if the remote site is running WordPress.
-h This help screen.
-v Verbose output.