WPProbe
Overview
섹션 제목: “Overview”WPProbe is a specialized WordPress enumeration and vulnerability assessment tool designed for authorized penetration testers. It performs deep reconnaissance on WordPress installations by identifying plugins, themes, users, and known vulnerabilities. WPProbe combines multiple detection techniques to maximize accuracy and provides actionable vulnerability information.
Key features include:
- Plugin and theme enumeration (active and inactive)
- Version detection and vulnerability correlation
- User account enumeration
- WordPress core version identification
- Known CVE matching
- Automated exploitation recommendations
Installation
섹션 제목: “Installation”From GitHub Source
섹션 제목: “From GitHub Source”git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe
pip install -r requirements.txt
python wpprobe.py --helpUsing pip
섹션 제목: “Using pip”pip install wpprobe
wpprobe --helpManual Setup
섹션 제목: “Manual Setup”# Clone repository
git clone https://github.com/mazenhatem/wpprobe.git
cd wpprobe
# Install Python 3.7+
python3 --version
# Install dependencies
pip3 install -r requirements.txt
# Run the tool
python3 wpprobe.pyDocker
섹션 제목: “Docker”docker pull wpprobe
docker run -it wpprobe --helpKali Linux
섹션 제목: “Kali Linux”apt update && apt install wpprobe -yBasic Usage
섹션 제목: “Basic Usage”| Command | Description |
|---|---|
wpprobe -u <url> | Scan WordPress site for plugins/themes |
wpprobe -u <url> -e plugins | Enumerate only plugins |
wpprobe -u <url> -e themes | Enumerate only themes |
wpprobe -u <url> -e users | Enumerate WordPress users |
wpprobe -u <url> -e all | Full enumeration (plugins, themes, users) |
wpprobe -u <url> --update-db | Update vulnerability database |
wpprobe -u <url> -o <file> | Save results to JSON file |
wpprobe -u <url> -v | Verbose output with details |
Common Examples
섹션 제목: “Common Examples”Basic WordPress Enumeration
섹션 제목: “Basic WordPress Enumeration”wpprobe -u https://example.comPerforms complete enumeration including WordPress version, plugins, themes, and users. Automatically checks for known vulnerabilities in detected components.
Plugin Enumeration Only
섹션 제목: “Plugin Enumeration Only”wpprobe -u https://example.com -e plugins -vFocuses on identifying installed plugins and their versions. Useful when you’ve already identified WordPress and want detailed plugin information.
Theme Enumeration
섹션 제목: “Theme Enumeration”wpprobe -u https://example.com -e themesIdentifies the active theme and any other installed themes, including version information and known vulnerabilities.
User Enumeration
섹션 제목: “User Enumeration”wpprobe -u https://example.com -e users -vDiscovers WordPress user accounts and usernames. Useful for password spray attacks or targeted phishing campaigns in authorized assessments.
Save Results to JSON
섹션 제목: “Save Results to JSON”wpprobe -u https://example.com -o results.json -vGenerates detailed enumeration results in JSON format for further analysis or integration with other tools.
Update Vulnerability Database
섹션 제목: “Update Vulnerability Database”wpprobe --update-db
wpprobe -u https://example.com -o results.jsonUpdates the tool’s vulnerability database with latest CVEs before scanning to ensure detection of recent vulnerabilities.
Advanced Usage
섹션 제목: “Advanced Usage”Batch Scanning Multiple WordPress Sites
섹션 제목: “Batch Scanning Multiple WordPress Sites”#!/bin/bash
# Create list of target WordPress sites
cat targets.txt
# https://wordpress1.example.com
# https://wordpress2.example.com
# https://internal-blog.local
# Scan all targets
while read target; do
echo "Scanning $target..."
wpprobe -u $target -o ${target//\//_}_results.json
sleep 2
done < targets.txt
# Generate summary report
find . -name "*_results.json" -exec jq '.target, .plugins' {} \;Detailed Plugin Vulnerability Analysis
섹션 제목: “Detailed Plugin Vulnerability Analysis”# Scan and get detailed plugin information
wpprobe -u https://example.com -e plugins -v -o plugins.json
# Extract vulnerable plugins
cat plugins.json | jq '.plugins[] | select(.vulnerabilities | length > 0)'
# Count vulnerabilities by plugin
cat plugins.json | jq '.plugins[] | {name: .name, vuln_count: (.vulnerabilities | length)}' | sort_by(.vuln_count)Vulnerability Risk Assessment
섹션 제목: “Vulnerability Risk Assessment”# Comprehensive scan with detailed output
wpprobe -u https://example.com -e all -v -o full_scan.json
# Extract critical vulnerabilities
cat full_scan.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))'
# Count issues by severity
cat full_scan.json | jq '[.plugins[].vulnerabilities[].severity] | group_by(.) | map({severity: .[0], count: length})'Integration with WPScan
섹션 제목: “Integration with WPScan”# Use WPProbe for initial enumeration
wpprobe -u https://example.com -o initial_enum.json
# Identify critical vulnerabilities
cat initial_enum.json | jq '.plugins[] | select(.vulnerabilities[].severity == "critical") | .name'
# Run WPScan for deep dive on critical plugins
wpscan --url https://example.com --api-token YOUR_TOKENEnumeration Techniques
섹션 제목: “Enumeration Techniques”Plugin Detection Methods
섹션 제목: “Plugin Detection Methods”WPProbe uses multiple techniques to detect plugins:
| Technique | Reliability | Speed |
|---|---|---|
| wp-content/plugins directory listing | High | Fast |
| Known plugin file paths | High | Fast |
| JavaScript/CSS file URLs | High | Fast |
| README.txt in plugin directories | High | Fast |
| wp-admin assets | Medium | Fast |
| HTML comments | Low | Fast |
Example Detection Output
섹션 제목: “Example Detection Output”$ wpprobe -u https://example.com -e plugins -v
[+] WordPress detected: version 5.9.2
[+] Plugins enumerated: 12
Plugin: Contact Form 7
- Version: 5.5.2
- Status: Active
- Vulnerabilities: 2
- CVE-2020-12447 (Medium): Local File Inclusion
Plugin: WooCommerce
- Version: 6.1.0
- Status: Active
- Vulnerabilities: 3
- CVE-2021-12741 (High): SQL Injection
Plugin: Yoast SEO
- Version: 18.0
- Status: Active
- Vulnerabilities: 0Vulnerability Assessment
섹션 제목: “Vulnerability Assessment”Vulnerability Database
섹션 제목: “Vulnerability Database”# Update vulnerability database regularly
wpprobe --update-db
# Database contains:
# - WordPress core CVEs
# - Plugin CVEs
# - Theme CVEs
# - CVSS scores
# - Exploit availabilityCVE Severity Classifications
섹션 제목: “CVE Severity Classifications”| Severity | CVSS Score | Impact |
|---|---|---|
| Critical | 9.0-10.0 | Immediate exploitation risk |
| High | 7.0-8.9 | Significant exploitation risk |
| Medium | 4.0-6.9 | Moderate exploitation risk |
| Low | 0.1-3.9 | Minor exploitation risk |
Extracting High-Risk Findings
섹션 제목: “Extracting High-Risk Findings”# Get all critical and high severity issues
wpprobe -u https://example.com -o scan.json
cat scan.json | jq '.plugins[] | select(.vulnerabilities[].severity >= "high")'
# Generate remediation list
cat scan.json | jq '.plugins[] | select(.vulnerabilities | length > 0) | {name: .name, version: .version, vuln_count: (.vulnerabilities | length)}'User Enumeration
섹션 제목: “User Enumeration”WordPress User Discovery
섹션 제목: “WordPress User Discovery”# Enumerate all WordPress users
wpprobe -u https://example.com -e users -v
# Output example:
# [+] Users enumerated: 8
# - admin (ID: 1)
# - blogger (ID: 2)
# - john (ID: 3)
# - jane (ID: 4)User ID Enumeration Methods
섹션 제목: “User ID Enumeration Methods”# WPProbe automatically tries multiple methods:
# 1. RSS feed (?feed=rss2)
# 2. Author archives (?author=1, ?author=2, etc.)
# 3. REST API (/wp-json/wp/v2/users)
# 4. Sitemap.xml parsing
# 5. Archives page HTMLCreating Wordlists from Enumerated Users
섹션 제목: “Creating Wordlists from Enumerated Users”# Enumerate users
wpprobe -u https://example.com -e users -o users.json
# Extract usernames
cat users.json | jq -r '.users[].username' > usernames.txt
# Use with Hydra for password spray
hydra -L usernames.txt -P passwords.txt https://example.com http-post-form \
"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=&test_cookie=1:S=dashboard"WordPress Core Version Detection
섹션 제목: “WordPress Core Version Detection”Version Identification Techniques
섹션 제목: “Version Identification Techniques”# Method 1: wp-includes/version.php parsing
# Method 2: wp-content/themes/twentyXXX/style.css
# Method 3: wp-admin/js/common.js
# Method 4: REST API /wp-json/
# WPProbe tries all methods automatically
wpprobe -u https://example.com -vIdentifying Outdated WordPress
섹션 제목: “Identifying Outdated WordPress”# Scan and check WordPress version
wpprobe -u https://example.com -o results.json
# Extract version
cat results.json | jq '.wordpress_version'
# Check against latest version
# WordPress 6.4.x is current (as of 2024)
# Versions below 6.0 are significantly outdatedAdvanced Configuration
섹션 제목: “Advanced Configuration”Custom Headers and Proxies
섹션 제목: “Custom Headers and Proxies”# Scan through proxy (Burp Suite)
# Modify the Python script or use wrapper
python wpprobe.py -u https://example.com -x http://127.0.0.1:8080
# Specify custom User-Agent
# Edit wpprobe config or use environment variable
USER_AGENT="Mozilla/5.0 (Custom)" wpprobe -u https://example.comTimeout and Performance Settings
섹션 제목: “Timeout and Performance Settings”# WPProbe has built-in timeouts
# For slow/distant targets, results may be incomplete
wpprobe -u https://slow-target.example.com -v
# Alternative: Increase request timeout in config
# Edit wpprobe.py or configuration fileReal-World Assessment Workflow
섹션 제목: “Real-World Assessment Workflow”Complete WordPress Security Assessment
섹션 제목: “Complete WordPress Security Assessment”#!/bin/bash
TARGET="https://example.com"
OUTPUT="assessment_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT
# Step 1: Initial enumeration
echo "[*] Starting WordPress assessment..."
wpprobe -u $TARGET -e all -v -o $OUTPUT/enumeration.json
# Step 2: Extract critical findings
echo "[*] Identifying critical vulnerabilities..."
cat $OUTPUT/enumeration.json | jq '.plugins[] | select(.vulnerabilities[] | select(.severity == "critical"))' > $OUTPUT/critical_vulns.json
# Step 3: Enumerate users for password spray list
echo "[*] Enumerating users..."
cat $OUTPUT/enumeration.json | jq -r '.users[].username' > $OUTPUT/usernames.txt
# Step 4: Generate report
cat > $OUTPUT/assessment_summary.txt << EOF
WordPress Assessment Report
Target: $TARGET
Date: $(date)
Critical Vulnerabilities: $(cat $OUTPUT/critical_vulns.json | wc -l)
Users Enumerated: $(wc -l < $OUTPUT/usernames.txt)
Plugins Found: $(cat $OUTPUT/enumeration.json | jq '.plugins | length')
Themes Found: $(cat $OUTPUT/enumeration.json | jq '.themes | length')
EOF
echo "[+] Assessment complete. Results in $OUTPUT/"Vulnerability Prioritization
섹션 제목: “Vulnerability Prioritization”#!/bin/bash
# Scan and prioritize findings by exploitability
wpprobe -u https://target.com -o scan.json
# Extract exploitable vulnerabilities
echo "=== Critical, Exploitable Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] |
select(.vulnerabilities[] |
select(.severity == "critical" and .exploit_available == true)
) |
"\(.name) v\(.version): \(.vulnerabilities[].cve)"'
echo ""
echo "=== High Severity Vulnerabilities ==="
cat scan.json | jq -r '.plugins[] |
select(.vulnerabilities[] | select(.severity == "high")) |
"\(.name) v\(.version): \(.vulnerabilities[].cve)"'Integration with Other Tools
섹션 제목: “Integration with Other Tools”WPScan Integration
섹션 제목: “WPScan Integration”# Use WPProbe for quick enumeration
wpprobe -u https://example.com -e plugins -o quick_enum.json
# Use WPScan for deep vulnerability scanning
wpscan --url https://example.com --enumerate vp,u \
--api-token YOUR_TOKEN \
--output results.json \
--format jsonExploit Framework Integration
섹션 제목: “Exploit Framework Integration”# Identify vulnerable plugin
wpprobe -u https://example.com | grep -i "vulnerable"
# Search for exploit
# Example: Contact Form 7 v5.5.2 - Local File Inclusion
searchsploit "Contact Form 7 5.5.2"
# Use in Metasploit
msfconsole
> search contact form 7
> use exploit/...Custom Vulnerability Assessment
섹션 제목: “Custom Vulnerability Assessment”# Export enumeration data
wpprobe -u https://example.com -o data.json
# Parse and create custom assessment
python3 << 'EOF'
import json
with open('data.json') as f:
data = json.load(f)
print("=== Plugin Risk Analysis ===")
for plugin in data['plugins']:
vuln_count = len(plugin.get('vulnerabilities', []))
if vuln_count > 0:
print(f"{plugin['name']} v{plugin['version']}: {vuln_count} vulnerabilities")
EOFAvoiding Detection
섹션 제목: “Avoiding Detection”Stealthy Scanning Practices
섹션 제목: “Stealthy Scanning Practices”# Add delays between requests
# Modify enumeration speed in configuration
wpprobe -u https://example.com --slow # If supported
# Or use custom wrapper
for i in {1..12}; do
curl -s "https://example.com/?author=$i" > /dev/null
sleep 1
doneRotating User Agents
섹션 제목: “Rotating User Agents”# WPProbe uses rotating user agents by default
# For additional stealth, use proxy with rotating agents
wpprobe -u https://example.com -x http://127.0.0.1:8080
# Then configure proxy to rotate user agentsBest Practices
섹션 제목: “Best Practices”- Authorization: Always obtain written permission before scanning
- Database Updates: Keep vulnerability database current before scanning
- Batch Operations: Document all scans with date/time stamps
- Escalation: Prioritize critical vulnerabilities for immediate patching
- Verification: Manually verify critical findings before reporting
- Responsible Disclosure: Follow coordinated disclosure practices
- Chain Analysis: Combine findings with WPScan and Metasploit for deeper assessment
- Documentation: Maintain detailed logs of enumeration and findings
Troubleshooting
섹션 제목: “Troubleshooting”Connection Issues
섹션 제목: “Connection Issues”# Test WordPress detection
curl -I https://example.com
curl https://example.com | grep -i wordpress
# If not detected as WordPress
# May not be WordPress or heavily customized
wpprobe -u https://example.com -vPlugin Detection Failures
섹션 제목: “Plugin Detection Failures”# If plugins not detected
# Disable wp-content listing or use stealth mode
# Check if /wp-content/plugins/ is accessible
curl https://example.com/wp-content/plugins/
# If forbidden, enumeration is more difficult
# Rely on other detection methods (JavaScript, CSS)User Enumeration Not Working
섹션 제목: “User Enumeration Not Working”# REST API may be disabled
curl https://example.com/wp-json/wp/v2/users
# Try alternative methods
curl https://example.com/?feed=rss2 # Check author info
curl https://example.com/?author=1 # Check 404 patternsComparative Advantages
섹션 제목: “Comparative Advantages”| Feature | WPProbe | WPScan | Wpseku |
|---|---|---|---|
| Plugin Detection | Good | Excellent | Good |
| User Enumeration | Good | Good | Good |
| Vulnerability DB | Good | Excellent | Good |
| Speed | Fast | Slow | Medium |
| API Token Required | No | Yes (better) | No |
| Setup Complexity | Low | Medium | Low |
Conclusion
섹션 제목: “Conclusion”WPProbe is an essential tool for WordPress security assessments, enabling authorized penetration testers to quickly identify plugins, themes, users, and vulnerabilities. Combined with tools like WPScan and Metasploit, it provides comprehensive WordPress security evaluation capabilities for authorized security testing scenarios.