- WPScanコマンドの実行
- オプションについて
- 実行結果
- WPScanによる脆弱性診断でわかったこと
- Metasploit Frameworkを使用して、攻撃コードが無いか確認
- ついでにNiktoでも脆弱性を診断してみる
- 調査結果でわかったこと
- まとめ
※注意 こちらで紹介した内容を外部サーバーに対して実行した場合、場合によっては刑法にて処罰されます。 実験を行う場合は必ずローカル環境にテスト用のサーバーを構築して実行してください。
WPScanコマンドの実行
WPScanを使用してWordPressの脆弱性診断を行います。
診断対象のWordPressは先日XAMMPにインストールしたWordPress5.0に対して行います。
wpscan --url http://localhost/blog/ --enumerate vp,vt,tt,u --plugins-detection mixed --api-token xxxxxxxxxxxxxxxxxxxxxxx
上記コマンドを実行します。
それぞれのオプションの意味は下記になります。
オプションについて
--api-tokenオプション
WPScanスキャンでは、WordPress Vulnerability Database APIを使用して、WordPress脆弱性データをリアルタイムで取得して検出することができます。
APIトークンはwpscan.comにユーザー登録することで取得でき、--api-tokenオプションで指定する必要があります。
無料プランの場合、一日に送れるリクエスト数の上限が25となっています。多くのサイトの診断が必要な場合は有料プランに変更する必要があります。
--formatオプション
診断結果をJSON形式で出力すると後の集計が楽になります。
JSON形式で出力するには--format jsonを指定すればOKです。
--outputオプション
診断結果をファイルに出力するにはoutputオプションを指定すればOKです。
--enumerateオプション
--enumerateもしくは-eを指定することでオプションの内容を変更できます。
--enumerateもしくは-eを指定しない場合、vp,vt,tt,cb,dbe,u,mが指定されたのと同じ結果になります。
- vp (Vulnerable plugins) 脆弱なプラグイン
- ap (All plugins) 全てのプラグイン
- p (Popular plugins) 人気のプラグイン
- vt (Vulnerable themes) 脆弱なテーマ
- at (All themes) 全てのテーマ
- t (Popular themes) 人気のテーマ
- tt (Timthumbs) Timthumbファイル
- cb (Config backups) wp-configのバックアップ
- dbe (Db exports) DBバックアップ
- u (User IDs range. e.g: u1-5) ユーザー名 u1-5とするとIDのレンジ
- m (Media IDs range. e.g m1-15) メディア m1-5とするとIDのレンジ
実行結果
診断が完了すると以下のように結果が表示されます。
--formatを指定しない場合の診断結果
実行コマンド
┌──(root㉿kali)-[~] └─# wpscan --url http://localhost/blog/ --enumerate vp,vt,tt,u --plugins-detection mixed --api-token xxxxxxxxxxxxxxxxxxxxxxx
診断結果
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://localhost/blog/ [::1]
[+] Started: Tue May 23 21:49:14 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1n PHP/7.4.28 mod_perl/2.0.12 Perl/v5.34.1
| - X-Powered-By: PHP/7.4.28
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://localhost/blog/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://localhost/blog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://localhost/blog/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://localhost/blog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0.19 identified (Outdated, released on 0001-01-01).
| Found By: Rss Generator (Passive Detection)
| - http://localhost/blog/feed/, <generator>https://wordpress.org/?v=5.0.19</generator>
| - http://localhost/blog/comments/feed/, <generator>https://wordpress.org/?v=5.0.19</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://localhost/blog/wp-content/themes/twentynineteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://localhost/blog/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://localhost/blog/wp-content/themes/twentynineteen/style.css?ver=1.0
| Style Name: Twenty Nineteen
| Style URI: https://github.com/WordPress/twentynineteen
| Description: A new Gutenberg-ready theme....
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://localhost/blog/wp-content/themes/twentynineteen/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:03:43 <================================> (5611 / 5611) 100.00% Time: 00:03:43
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://localhost/blog/wp-content/plugins/akismet/
| Latest Version: 5.1
| Last Updated: 2023-04-05T10:17:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://localhost/blog/wp-content/plugins/akismet/, status: 403
|
| [!] 1 vulnerability identified:
|
| [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
| - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
| - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
|
| The version could not be determined.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:21 <==================================> (500 / 500) 100.00% Time: 00:00:21
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:01:58 <================================> (2575 / 2575) 100.00% Time: 00:01:58
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] root
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://localhost/blog/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 72
[+] Finished: Tue May 23 21:55:27 2023
[+] Requests Done: 8744
[+] Cached Requests: 12
[+] Data Sent: 2.39 MB
[+] Data Received: 3.425 MB
[+] Memory used: 290.727 MB
[+] Elapsed time: 00:06:13
--formatでJSON形式を指定した場合の診断結果
実行コマンド
┌──(root㉿kali)-[/home/kali] └─# wpscan --url http://localhost/blog/ --enumerate vp,vt,tt,u --plugins-detection mixed --format json
診断結果
json形式で出力する際のコマンドで--api-tokenオプションでAPIトークンを指定しなかった為、vulnerabilitiesが空になっていますが、それ以外の情報は取得できているのが分かります。
{
"banner": {
"description": "WordPress Security Scanner by the WPScan Team",
"version": "3.8.22",
"authors": [
"@_WPScan_",
"@ethicalhack3r",
"@erwan_lr",
"@firefart"
],
"sponsor": "Sponsored by Automattic - https://automattic.com/"
},
"start_time": 1685020888,
"start_memory": 56827904,
"target_url": "http://localhost/blog/",
"target_ip": "::1",
"effective_url": "http://localhost/blog/",
"interesting_findings": [
{
"url": "http://localhost/blog/",
"to_s": "Headers",
"type": "headers",
"found_by": "Headers (Passive Detection)",
"confidence": 100,
"confirmed_by": {
},
"references": {
},
"interesting_entries": [
"Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1n PHP/7.4.28 mod_perl/2.0.12 Perl/v5.34.1",
"X-Powered-By: PHP/7.4.28"
]
},
{
"url": "http://localhost/blog/xmlrpc.php",
"to_s": "XML-RPC seems to be enabled: http://localhost/blog/xmlrpc.php",
"type": "xmlrpc",
"found_by": "Direct Access (Aggressive Detection)",
"confidence": 100,
"confirmed_by": {
},
"references": {
"url": [
"http://codex.wordpress.org/XML-RPC_Pingback_API"
],
"metasploit": [
"auxiliary/scanner/http/wordpress_ghost_scanner",
"auxiliary/dos/http/wordpress_xmlrpc_dos",
"auxiliary/scanner/http/wordpress_xmlrpc_login",
"auxiliary/scanner/http/wordpress_pingback_access"
]
},
"interesting_entries": [
]
},
{
"url": "http://localhost/blog/readme.html",
"to_s": "WordPress readme found: http://localhost/blog/readme.html",
"type": "readme",
"found_by": "Direct Access (Aggressive Detection)",
"confidence": 100,
"confirmed_by": {
},
"references": {
},
"interesting_entries": [
]
},
{
"url": "http://localhost/blog/wp-content/uploads/",
"to_s": "Upload directory has listing enabled: http://localhost/blog/wp-content/uploads/",
"type": "upload_directory_listing",
"found_by": "Direct Access (Aggressive Detection)",
"confidence": 100,
"confirmed_by": {
},
"references": {
},
"interesting_entries": [
]
},
{
"url": "http://localhost/blog/wp-cron.php",
"to_s": "The external WP-Cron seems to be enabled: http://localhost/blog/wp-cron.php",
"type": "wp_cron",
"found_by": "Direct Access (Aggressive Detection)",
"confidence": 60,
"confirmed_by": {
},
"references": {
"url": [
"https://www.iplocation.net/defend-wordpress-from-ddos",
"https://github.com/wpscanteam/wpscan/issues/1299"
]
},
"interesting_entries": [
]
}
],
"version": {
"number": "5.0.19",
"release_date": "0001-01-01",
"status": "outdated",
"found_by": "Rss Generator (Passive Detection)",
"confidence": 100,
"interesting_entries": [
"http://localhost/blog/feed/, <generator>https://wordpress.org/?v=5.0.19</generator>",
"http://localhost/blog/comments/feed/, <generator>https://wordpress.org/?v=5.0.19</generator>"
],
"confirmed_by": {
},
"vulnerabilities": [
]
},
"main_theme": {
"slug": "twentynineteen",
"location": "http://localhost/blog/wp-content/themes/twentynineteen/",
"latest_version": "2.5",
"last_updated": "2023-03-29T00:00:00.000Z",
"outdated": true,
"readme_url": "http://localhost/blog/wp-content/themes/twentynineteen/readme.txt",
"directory_listing": false,
"error_log_url": null,
"style_url": "http://localhost/blog/wp-content/themes/twentynineteen/style.css?ver=1.0",
"style_name": "Twenty Nineteen",
"style_uri": "https://github.com/WordPress/twentynineteen",
"description": "A new Gutenberg-ready theme.",
"author": "the WordPress team",
"author_uri": "https://wordpress.org/",
"template": null,
"license": "GNU General Public License v2 or later",
"license_uri": "LICENSE",
"tags": "custom-background, custom-logo, custom-menu, featured-images, threaded-comments, translation-ready",
"text_domain": "twentynineteen",
"found_by": "Css Style In Homepage (Passive Detection)",
"confidence": 100,
"interesting_entries": [
],
"confirmed_by": {
"Css Style In 404 Page (Passive Detection)": {
"confidence": 70,
"interesting_entries": [
]
}
},
"vulnerabilities": [
],
"version": {
"number": "1.0",
"confidence": 80,
"found_by": "Style (Passive Detection)",
"interesting_entries": [
"http://localhost/blog/wp-content/themes/twentynineteen/style.css?ver=1.0, Match: 'Version: 1.0'"
],
"confirmed_by": {
}
},
"parents": [
]
},
"plugins": {
},
"themes": {
},
"timthumbs": {
},
"users": {
"root": {
"id": null,
"found_by": "Author Posts - Author Pattern (Passive Detection)",
"confidence": 100,
"interesting_entries": [
],
"confirmed_by": {
"Rss Generator (Passive Detection)": {
"confidence": 50,
"interesting_entries": [
]
},
"Wp Json Api (Aggressive Detection)": {
"confidence": 100,
"interesting_entries": [
"http://localhost/blog/wp-json/wp/v2/users/?per_page=100&page=1"
]
},
"Rss Generator (Aggressive Detection)": {
"confidence": 50,
"interesting_entries": [
]
},
"Author Id Brute Forcing - Author Pattern (Aggressive Detection)": {
"confidence": 100,
"interesting_entries": [
]
}
}
}
},
"vuln_api": {
"error": "No WPScan API Token given, as a result vulnerability data has not been output.\nYou can get a free API token with 25 daily requests by registering at https://wpscan.com/register"
},
"stop_time": 1685021326,
"elapsed": 437,
"requests_done": 8708,
"cached_requests": 39,
"data_sent": 2496011,
"data_sent_humanised": "2.38 MB",
"data_received": 3408121,
"data_received_humanised": "3.25 MB",
"used_memory": 304201728,
"used_memory_humanised": "290.109 MB"
}
WPScanによる脆弱性診断でわかったこと
デフォルトでインストールされているプラグイン(Akismet )にクロスサイトスプリクティングの脆弱性が見つかりました。
Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
- CVE-2015-9357
- http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
- https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
Metasploit Frameworkを使用して、攻撃コードが無いか確認
WPScanによって脆弱性のあるプラグインが見つかったので、MetasploitデータベースにExploitコードが無いか確認してみます。
Metasploit Frameworkの起動
msfconsoleコマンドでMetasploit Frameworkを起動します。
┌──(root㉿kali)-[/home/kali] └─# msfconsole
攻撃コードが無いか調べてみる
searchコマンドでAkismet 2.5.0-3.1.4 プラグインに対するExploitコードが登録されていないか検索します。
searchコマンドはMetasploitデータベース内を検索するコマンドです。
msf6 > search WordPress Plugin Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/wp_abandoned_cart_sqli 2020-11-05 normal No Abandoned Cart for WooCommerce SQLi Scanner 1 exploit/windows/ftp/easyftp_cwd_fixret 2010-02-16 great Yes EasyFTP Server CWD Command Stack Buffer Overflow 2 exploit/linux/misc/quest_pmmasterd_bof 2017-04-09 normal Yes Quest Privilege Manager pmmasterd Buffer Overflow 3 exploit/multi/php/wp_duplicator_code_inject 2018-08-29 manual Yes Snap Creek Duplicator WordPress plugin code injection 4 exploit/multi/http/wp_db_backup_rce 2019-04-24 excellent Yes WP Database Backup RCE 5 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution 6 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload 7 auxiliary/gather/wp_all_in_one_migration_export 2015-03-19 normal Yes WordPress All-in-One Migration Export 8 exploit/unix/webapp/wp_asset_manager_upload_exec 2012-05-26 excellent Yes WordPress Asset-Manager PHP File Upload Vulnerability 9 auxiliary/scanner/http/wordpress_cp_calendar_sqli 2015-03-03 normal No WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner 10 auxiliary/scanner/http/wp_chopslider_id_sqli 2020-05-12 normal No WordPress ChopSlider3 id SQLi Scanner 11 auxiliary/scanner/http/wp_dukapress_file_read normal No WordPress DukaPress Plugin File Read Vulnerability 12 auxiliary/scanner/http/wp_duplicator_file_read 2020-02-19 normal No WordPress Duplicator File Read Vulnerability 13 auxiliary/scanner/http/wp_easy_wp_smtp 2020-12-06 normal No WordPress Easy WP SMTP Password Reset 14 auxiliary/scanner/http/wp_email_sub_news_sqli 2019-11-13 normal No WordPress Email Subscribers and Newsletter Hash SQLi Scanner 15 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution 16 auxiliary/scanner/http/wp_gimedia_library_file_read normal No WordPress GI-Media Library Plugin Directory Traversal Vulnerability 17 auxiliary/admin/http/wp_google_maps_sqli 2019-04-02 normal Yes WordPress Google Maps Plugin SQL Injection 18 exploit/unix/webapp/wp_infinitewp_auth_bypass 2020-01-14 manual Yes WordPress InfiniteWP Client Authentication Bypass 19 auxiliary/scanner/http/wp_loginizer_log_sqli 2020-10-21 normal No WordPress Loginizer log SQLi Scanner 20 auxiliary/scanner/http/wp_mobileedition_file_read normal No WordPress Mobile Edition File Read Vulnerability 21 auxiliary/scanner/http/wp_mobile_pack_info_disclosure normal No WordPress Mobile Pack Information Disclosure Vulnerability 22 auxiliary/scanner/http/wp_modern_events_calendar_sqli 2021-12-13 normal Yes WordPress Modern Events Calendar SQLi Scanner 23 auxiliary/scanner/http/wp_nextgen_galley_file_read normal No WordPress NextGEN Gallery Directory Read Vulnerability 24 exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload 2016-05-04 excellent Yes WordPress Ninja Forms Unauthenticated File Upload 25 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload 26 exploit/unix/webapp/wp_pixabay_images_upload 2015-01-19 excellent Yes WordPress Pixabay Images PHP Code Upload 27 exploit/unix/webapp/wp_advanced_custom_fields_exec 2012-11-14 excellent Yes WordPress Plugin Advanced Custom Fields Remote File Inclusion 28 auxiliary/admin/http/wp_automatic_plugin_privesc 2021-09-06 normal Yes WordPress Plugin Automatic Config Change to RCE 29 exploit/unix/webapp/wp_foxypress_upload 2012-06-05 excellent Yes WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution 30 exploit/unix/webapp/wp_google_document_embedder_exec 2013-01-03 normal Yes WordPress Plugin Google Document Embedder Arbitrary File Disclosure 31 exploit/unix/webapp/wp_pie_register_bypass_rce 2021-10-08 excellent Yes WordPress Plugin Pie Register Auth Bypass to RCE 32 exploit/multi/http/wp_responsive_thumbnail_slider_upload 2015-08-28 excellent Yes WordPress Responsive Thumbnail Slider Arbitrary File Upload 33 exploit/unix/webapp/wp_revslider_upload_execute 2014-11-26 excellent Yes WordPress RevSlider File Upload and Execute Vulnerability 34 auxiliary/scanner/http/wp_simple_backup_file_read normal No WordPress Simple Backup File Read Vulnerability 35 exploit/multi/http/wp_simple_file_list_rce 2020-04-27 good Yes WordPress Simple File List Unauthenticated Remote Code Execution 36 auxiliary/scanner/http/wp_subscribe_comments_file_read normal No WordPress Subscribe Comments File Read Vulnerability 37 auxiliary/admin/http/wp_symposium_sql_injection 2015-08-18 normal Yes WordPress Symposium Plugin SQL Injection 38 auxiliary/scanner/http/wp_total_upkeep_downloader 2020-12-12 normal No WordPress Total Upkeep Unauthenticated Backup Downloader 39 auxiliary/dos/http/wordpress_directory_traversal_dos normal No WordPress Traversal Directory DoS 40 auxiliary/gather/wp_ultimate_csv_importer_user_extract 2015-02-02 normal Yes WordPress Ultimate CSV Importer User Table Extract 41 exploit/unix/webapp/wp_total_cache_exec 2013-04-17 excellent Yes WordPress W3 Total Cache PHP Code Execution 42 auxiliary/gather/wp_w3_total_cache_hash_extract normal No WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract 43 auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal Yes WordPress WP EasyCart Plugin Privilege Escalation 44 exploit/unix/webapp/wp_easycart_unrestricted_file_upload 2015-01-08 excellent No WordPress WP EasyCart Unrestricted File Upload 45 auxiliary/admin/http/wp_gdpr_compliance_privesc 2018-11-08 normal Yes WordPress WP GDPR Compliance Plugin Privilege Escalation 46 exploit/unix/webapp/wp_mobile_detector_upload_execute 2016-05-31 excellent Yes WordPress WP Mobile Detector 3.5 Shell Upload 47 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload 48 exploit/unix/webapp/wp_property_upload_exec 2012-03-26 excellent Yes WordPress WP-Property PHP File Upload Vulnerability 49 exploit/unix/webapp/wp_wptouch_file_upload 2014-07-14 excellent Yes WordPress WPTouch Authenticated File Upload 50 exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 2015-03-09 excellent Yes WordPress WPshop eCommerce Arbitrary File Upload Vulnerability 51 auxiliary/admin/http/wp_custom_contact_forms 2014-08-07 normal No WordPress custom-contact-forms Plugin SQL Upload 52 exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload 2020-02-21 excellent Yes WordPress wpDiscuz Unauthenticated File Upload Vulnerability 53 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi 54 auxiliary/scanner/http/wp_bulletproofsecurity_backups 2021-09-17 normal No Wordpress BulletProof Security Backup Disclosure 55 exploit/unix/webapp/wp_downloadmanager_upload 2014-12-03 excellent Yes Wordpress Download Manager (download-manager) Unauthenticated File Upload 56 exploit/unix/webapp/wp_frontend_editor_file_upload 2012-07-04 excellent Yes Wordpress Front-end Editor File Upload 57 exploit/unix/webapp/wp_infusionsoft_upload 2014-09-25 excellent Yes Wordpress InfusionSoft Upload Vulnerability 58 auxiliary/scanner/http/wp_learnpress_sqli 2020-04-29 normal No Wordpress LearnPress current_items Authenticated SQLi 59 exploit/unix/webapp/wp_wysija_newsletters_upload 2014-07-01 excellent Yes Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload 60 auxiliary/admin/http/wp_masterstudy_privesc 2022-02-18 normal Yes Wordpress MasterStudy Admin Account Creation 61 exploit/unix/webapp/wp_nmediawebsite_file_upload 2015-04-12 excellent Yes Wordpress N-Media Website Contact Form Upload Vulnerability 62 auxiliary/scanner/http/wp_paid_membership_pro_code_sqli 2023-01-12 normal Yes Wordpress Paid Membership Pro code Unauthenticated SQLi 63 exploit/unix/webapp/wp_plainview_activity_monitor_rce 2018-08-26 excellent Yes Wordpress Plainview Activity Monitor RCE 64 exploit/multi/http/wp_plugin_backup_guard_rce 2021-05-04 excellent Yes Wordpress Plugin Backup Guard - Authenticated Remote Code Execution 65 exploit/multi/http/wp_catch_themes_demo_import 2021-10-21 normal Yes Wordpress Plugin Catch Themes Demo Import RCE 66 exploit/multi/http/wp_plugin_elementor_auth_upload_rce 2022-03-29 excellent Yes Wordpress Plugin Elementor Authenticated Upload Remote Code Execution 67 exploit/multi/http/wp_plugin_modern_events_calendar_rce 2021-01-29 excellent Yes Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution 68 exploit/multi/http/wp_plugin_sp_project_document_rce 2021-06-14 excellent Yes Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution 69 exploit/multi/http/wp_popular_posts_rce 2021-06-11 normal Yes Wordpress Popular Posts Authenticated RCE 70 auxiliary/scanner/http/wp_registrationmagic_sqli 2022-01-23 normal Yes Wordpress RegistrationMagic task_ids Authenticated SQLi 71 auxiliary/scanner/http/wordpress_scanner normal No Wordpress Scanner 72 auxiliary/scanner/http/wp_secure_copy_content_protection_sqli 2021-11-08 normal Yes Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi 73 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes Wordpress SlideShow Gallery Authenticated File Upload 74 exploit/unix/webapp/wp_worktheflow_upload 2015-03-14 excellent Yes Wordpress Work The Flow Upload Vulnerability
今回は特に目的のプラグインに対するExploitコードはなかった様ですが、 Exploitコードが見つかった場合はそれを利用して標的のサイトに対して攻撃を仕掛けることができます。
ついでにNiktoでも脆弱性を診断してみる
WPScanでExploitコードが見つからなかったので、
次にNiktoでも脆弱性を調べてみました。Niktoも辞書ベースの脆弱性診断ツールになります。
実行コマンド
┌──(root㉿kali)-[/home/kali] └─# nikto -h localhost
実行結果
- Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2023-05-25 23:20:18 (GMT9) --------------------------------------------------------------------------- + Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1n PHP/7.4.28 mod_perl/2.0.12 Perl/v5.34.1 + /: Retrieved x-powered-by header: PHP/7.4.28. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + Root page / redirects to: http://localhost/dashboard/ + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275 + Apache/2.4.53 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + PHP/7.4.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. + OpenSSL/1.1.1n appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /webalizer/: Directory indexing found. + /img/: Directory indexing found. + /img/: This might be interesting. + /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /icons/: Directory indexing found. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /phpmyadmin/: Uncommon header 'x-ob_mode' found, with contents: 1. + /phpmyadmin/: phpMyAdmin directory found. + /blog/wp-login.php: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + /blog/wp-login.php: Wordpress login found. + /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/ + 8657 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2023-05-25 23:20:46 (GMT9) (28 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
http://localhost/phpmyadmin/ にアクセスできてしまうという致命的な脆弱性が見つかったようです。
攻撃の目的がサイトの破壊であれば、こちらのログイン画面を総当りで攻撃したほうが効率が良さそうです。
総当たり攻撃にはHydraというツールを使用しますが、具体的な使い方はまた別の記事で記載します。
調査結果でわかったこと
WPScanでわかったこと
- xmlrpc.phpファイルが有効になっている
- readme.htmlファイルにアクセス可能になっている。
- Upload directoryに直接アクセス可能になっている。
- wp-cron.phpファイルが有効になっている。
- WordPress version 5.0.19は古すぎると警告されている。
- 使用されているテーマ twentynineteen は古すぎると警告されている。
- ユーザー名にrootを使用している。
Niktoでわかったこと
- http://localhost/phpmyadmin/ に外部からアクセスできてしまう。
- その他いろいろ。
まとめ
攻撃者は最終的な目的にもよると思いますが、復数の診断ツールを調査に用いて、一番効率よく攻撃できそうな脆弱性をみつけ、 そこをついてくるのかと予想されます。 防御側も一つの診断ツールに依存しないほうが良いのかもしれないとう感想を持ちました。
