photo lineviral_1.png
» » » » Wpscan In Addition To Quick Wordpress Safety – Fixing Direcroty Listing – Utilisation 2
, ,

Wpscan In Addition To Quick Wordpress Safety – Fixing Direcroty Listing – Utilisation 2

of the guide WPSCAN too quick wordpress safety WPSCAN too quick wordpress safety – Fixing Direcroty Listing – Part 2This is a business office 2 of the guide WPSCAN too quick wordpress security. It guides reader on how to create Directory listing inward WordPress. Read business office i hither WPSCAN too quick wordpress safety – Part 1


Run WPSCAN


WPSCAN shows I convey Directory listing enabled.


root@kali: # wpscan --url technoused.blogspot.com
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner past times the WPScan Team 
                        Version v2.2
     Sponsored past times the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://technoused.blogspot.com/
| Started: Dominicus November 24 14:53:26 2013

[+] robots.txt available under: 'http://technoused.blogspot.com/robots.txt'
[!] The WordPress 'http://technoused.blogspot.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://technoused.blogspot.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ... 
 |  2 plugins found:

 | Name: google-analyticator
 | Location: http://technoused.blogspot.com/wp-content/plugins/google-analyticator/
 | Directory listing enabled: Yes

 | Name: jetpack
 | Location: http://technoused.blogspot.com/wp-content/plugins/jetpack/
 | Directory listing enabled: Yes

[+] Finished: Dominicus November 24 14:54:50 2013
[+] Memory used: 2.742 MB
[+] Elapsed time: 00:01:23
Exiting!
root@kali: #

So how to create this?


Fixing Directory Listing:


Option 1:


This is the easiest method of all. Add the next work to the .htaccess file that lives at root…


Options -Indexes

This volition automatically plough off indexing for ALL folders/subfolders sitewide. If y'all add together that work to a .htaccess file inward wp-contents it volition disable indexing non exclusively for that folder simply for the folders below it too and then forth.


Options 2:


Add the next work to the .htaccess file that lives at root…


IndexIgnore *

The * matches all files inward the directory. What is the divergence betwixt the two? Method b allows y'all to restrain exclusively a subset of files from beingness viewed. For example, let’s nation for to a greater extent than or less argue y'all desire the directory content to move viewable simply block icon files. You would produce this…


IndexIgnore *.gif *.png *.jpg

Thats should produce it.


Let’s pose it to the test..


Testing:


Do to a greater extent than or less other wpscan


root@kali: #
root@kali: # wpscan --url technoused.blogspot.com
_______________________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner past times the WPScan Team
Version v2.2
Sponsored past times the RandomStorm Open Source Initiative
@_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://technoused.blogspot.com/
| Started: Dominicus November 24 15:19:30 2013

[+] robots.txt available under: 'http://technoused.blogspot.com/robots.txt'
[!] The WordPress 'http://technoused.blogspot.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://technoused.blogspot.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
|  2 plugins found:

| Name: google-analyticator
| Location: http://technoused.blogspot.com/wp-content/plugins/google-analyticator/

| Name: jetpack
| Location: http://technoused.blogspot.com/wp-content/plugins/jetpack/

[+] Finished: Dominicus November 24 15:21:18 2013
[+] Memory used: 2.734 MB
[+] Elapsed time: 00:01:47
Exiting!
root@kali: #

Nice, worked similar a charm, no to a greater extent than Directory listing enabled warning. Don’t forget to read business office of this guide WPSCAN too quick wordpress safety – Part 1.


Buat lebih berguna, kongsi:
close