江戸前情報セキュリティ勉強会に参加した
kawa.xxx
kawalog
WPScan を使って OWASP BWA をスキャンしてみる
kawa.xxx
記事内に商品プロモーションを含む場合があります
環境
- kali linux 2
- WPScan 2.9.2
- OWASP Broken Web Application
WPScan とは
WPScan とは WordPress 用の脆弱性スキャナーです。オープンソースなので誰でも自由に使用することが出来ます。
※ このツールは自分の管理下、もしくは書面で許可を取った対象にのみ実行するようにしましょう。
OWASP Broken Web Application をスキャンしてみる
セキュリティツールを試すのに、いきなり本番環境に向けて実行するなんてことは怖くて出来ないので、まずは脆弱性のあるWordpressに対して実行してみましょう。そのほうが、脆弱性情報なども色々表示されて楽しいですし。
今回は OWASP が提供している Broken Web Application の中にあるWordpress を使ってみます。 OWASP BWA は WordPress 以外にも Joomla や redmine などメジャーな CMS などが脆弱性ある状態で収められている脆弱性診断の練習に使えるものです。
VirtualBox で仮想マシンを二つ作り、 kali linux と OWASP BWA をインストールします。そして、NAT Network にて相互に通信できるようにして、OWASP BWA のIPを 10.0.2.6 とし、 kali linux の IP を 10.0.2.4 とします。
それでは早速、最も基本的なスキャンを実施するために、 kali linux で以下のコマンドを打ちます。
$ wpscan —url 10.0.2.6/wordpress
これで、WordPress本体やプラグインに脆弱性が無いかのスキャンができます。実行直後に、 WPScan 本体をアップデートするか聞かれますが、今回は外部に通信出来ないようにしてあるのでNoを選択します。
root@kali:~# wpscan --url 10.0.2.6/wordpress _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.2 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]N [+] URL: http://10.0.2.6/wordpress/ [+] Started: Tue May 2 20:45:13 2017 [!] The WordPress 'http://10.0.2.6/wordpress/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1 [+] Interesting header: STATUS: 200 OK [+] Interesting header: X-POWERED-BY: PHP/5.3.2-1ubuntu4.30 [+] XML-RPC Interface available under: http://10.0.2.6/wordpress/xmlrpc.php [!] Includes directory has directory listing enabled: http://10.0.2.6/wordpress/wp-includes/ [+] WordPress version 2.0 (Released on 2005-12-26) identified from advanced fingerprinting, meta generator, links opml [!] 12 vulnerabilities identified from the version number [!] Title: WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning Reference: https://wpvulndb.com/vulnerabilities/5988 Reference: https://github.com/FireFart/WordpressPingbackPortScanner Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0235 [i] Fixed in: 3.5.1 [!] Title: WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues Reference: https://wpvulndb.com/vulnerabilities/5989 Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html [!] Title: WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions Reference: https://wpvulndb.com/vulnerabilities/6009 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5293 [i] Fixed in: 3.0.2 [!] Title: WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials() Reference: https://wpvulndb.com/vulnerabilities/6010 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5294 [i] Fixed in: 3.0.2 [!] Title: WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php Reference: https://wpvulndb.com/vulnerabilities/6011 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5295 [i] Fixed in: 3.0.2 [!] Title: WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass Reference: https://wpvulndb.com/vulnerabilities/6012 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5296 [i] Fixed in: 3.0.2 [!] Title: WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass Reference: https://wpvulndb.com/vulnerabilities/6013 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5297 [i] Fixed in: 3.0 [!] Title: WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass Reference: https://wpvulndb.com/vulnerabilities/6019 Reference: http://www.securityfocus.com/bid/35584/ [!] Title: WordPress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS Reference: https://wpvulndb.com/vulnerabilities/6033 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5105 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5106 [i] Fixed in: 2.0.2 [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS) Reference: https://wpvulndb.com/vulnerabilities/7681 Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034 Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos Reference: https://www.exploit-db.com/exploits/35413/ Reference: https://www.exploit-db.com/exploits/35414/ [i] Fixed in: 4.0.1 [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF) Reference: https://wpvulndb.com/vulnerabilities/7696 Reference: http://www.securityfocus.com/bid/71234/ Reference: https://core.trac.wordpress.org/changeset/30444 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038 [i] Fixed in: 4.0.1 [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default Reference: https://wpvulndb.com/vulnerabilities/8719 Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491 [i] Fixed in: 4.7.1 [+] WordPress theme in use: default - v1.5 [+] Name: default - v1.5 | Location: http://10.0.2.6/wordpress/wp-content/themes/default/ [!] The version is out of date, the latest version is 1.7.2 | Style URL: http://10.0.2.6/wordpress/wp-content/themes/default/style.css | Theme Name: WordPress Default | Theme URI: http://wordpress.org/ | Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubric... | Author: Michael Heilemann | Author URI: http://binarybonsai.com/ [+] Enumerating plugins from passive detection ... | 1 plugin found: [+] Name: mygallery | Location: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/ | Changelog: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/changelog.txt [!] Directory listing is enabled: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/ [!] We could not determine a version so all vulnerabilities are printed out [!] Title: myGallery <= 1.4b4 - Remote File Inclusion Reference: https://wpvulndb.com/vulnerabilities/6506 Reference: https://www.exploit-db.com/exploits/3814/ [+] Finished: Tue May 2 20:45:16 2017 [+] Requests Done: 78 [+] Memory used: 61.359 MB [+] Elapsed time: 00:00:03
OWASP BWA に入っている WordPress のバージョンは 2.0 なだけあって、色々表示されますね。2017年5月2日現在の WordPress 最新版は 4.7.4 です。Wordpress はちゃんと最新版を使いましょう。。。
今度は、辞書を用いたブルートフォース攻撃を試してみたいと思います。
参考文献
- https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
- https://github.com/wpscanteam/wpscan
ABOUT ME
都内のIT系企業に勤める会社員。自分の備忘録的なアウトプット用の場所で、ボルダリングやガシェッド、セキュリティ、カメラの話題が中心です。