セキュリティ
PR

WPScan を使って OWASP BWA をスキャンしてみる

kawa.xxx
記事内に商品プロモーションを含む場合があります

環境

  • kali linux 2
  • WPScan 2.9.2
  • OWASP Broken Web Application

WPScan とは

WPScan とは WordPress 用の脆弱性スキャナーです。オープンソースなので誰でも自由に使用することが出来ます。

※ このツールは自分の管理下、もしくは書面で許可を取った対象にのみ実行するようにしましょう。

OWASP Broken Web Application をスキャンしてみる

セキュリティツールを試すのに、いきなり本番環境に向けて実行するなんてことは怖くて出来ないので、まずは脆弱性のあるWordpressに対して実行してみましょう。そのほうが、脆弱性情報なども色々表示されて楽しいですし。

今回は OWASP が提供している Broken Web Application の中にあるWordpress を使ってみます。 OWASP BWA は WordPress 以外にも Joomla や redmine などメジャーな CMS などが脆弱性ある状態で収められている脆弱性診断の練習に使えるものです。

VirtualBox で仮想マシンを二つ作り、 kali linux と OWASP BWA をインストールします。そして、NAT Network にて相互に通信できるようにして、OWASP BWA のIPを 10.0.2.6 とし、 kali linux の IP を 10.0.2.4 とします。

それでは早速、最も基本的なスキャンを実施するために、 kali linux で以下のコマンドを打ちます。

$ wpscan —url 10.0.2.6/wordpress

これで、WordPress本体やプラグインに脆弱性が無いかのスキャンができます。実行直後に、 WPScan 本体をアップデートするか聞かれますが、今回は外部に通信出来ないようにしてあるのでNoを選択します。

root@kali:~# wpscan --url 10.0.2.6/wordpress
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
        WordPress Security Scanner by the WPScan Team
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]N
[+] URL: http://10.0.2.6/wordpress/
[+] Started: Tue May  2 20:45:13 2017
[!] The WordPress 'http://10.0.2.6/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
[+] Interesting header: STATUS: 200 OK
[+] Interesting header: X-POWERED-BY: PHP/5.3.2-1ubuntu4.30
[+] XML-RPC Interface available under: http://10.0.2.6/wordpress/xmlrpc.php
[!] Includes directory has directory listing enabled: http://10.0.2.6/wordpress/wp-includes/
[+] WordPress version 2.0 (Released on 2005-12-26) identified from advanced fingerprinting, meta generator, links opml
[!] 12 vulnerabilities identified from the version number
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning
    Reference: https://wpvulndb.com/vulnerabilities/5988
    Reference: https://github.com/FireFart/WordpressPingbackPortScanner
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0235
[i] Fixed in: 3.5.1
[!] Title: WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues
    Reference: https://wpvulndb.com/vulnerabilities/5989
    Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
[!] Title: WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions
    Reference: https://wpvulndb.com/vulnerabilities/6009
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5293
[i] Fixed in: 3.0.2
[!] Title: WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()
    Reference: https://wpvulndb.com/vulnerabilities/6010
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5294
[i] Fixed in: 3.0.2
[!] Title: WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php
    Reference: https://wpvulndb.com/vulnerabilities/6011
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5295
[i] Fixed in: 3.0.2
[!] Title: WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass
    Reference: https://wpvulndb.com/vulnerabilities/6012
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5296
[i] Fixed in: 3.0.2
[!] Title: WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass
    Reference: https://wpvulndb.com/vulnerabilities/6013
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5297
[i] Fixed in: 3.0
[!] Title: WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass
    Reference: https://wpvulndb.com/vulnerabilities/6019
    Reference: http://www.securityfocus.com/bid/35584/
[!] Title: WordPress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS
    Reference: https://wpvulndb.com/vulnerabilities/6033
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5105
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5106
[i] Fixed in: 2.0.2
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
    Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: https://www.exploit-db.com/exploits/35413/
    Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7696
    Reference: http://www.securityfocus.com/bid/71234/
    Reference: https://core.trac.wordpress.org/changeset/30444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
    Reference: https://wpvulndb.com/vulnerabilities/8719
    Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.7.1
[+] WordPress theme in use: default - v1.5
[+] Name: default - v1.5
|  Location: http://10.0.2.6/wordpress/wp-content/themes/default/
[!] The version is out of date, the latest version is 1.7.2
|  Style URL: http://10.0.2.6/wordpress/wp-content/themes/default/style.css
|  Theme Name: WordPress Default
|  Theme URI: http://wordpress.org/
|  Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubric...
|  Author: Michael Heilemann
|  Author URI: http://binarybonsai.com/
[+] Enumerating plugins from passive detection ...
| 1 plugin found:
[+] Name: mygallery
|  Location: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/
|  Changelog: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/changelog.txt
[!] Directory listing is enabled: http://10.0.2.6/wordpress/wp-content/plugins/mygallery/
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: myGallery <= 1.4b4 - Remote File Inclusion
    Reference: https://wpvulndb.com/vulnerabilities/6506
    Reference: https://www.exploit-db.com/exploits/3814/
[+] Finished: Tue May  2 20:45:16 2017
[+] Requests Done: 78
[+] Memory used: 61.359 MB
[+] Elapsed time: 00:00:03

OWASP BWA に入っている WordPress のバージョンは 2.0 なだけあって、色々表示されますね。2017年5月2日現在の WordPress 最新版は 4.7.4 です。Wordpress はちゃんと最新版を使いましょう。。。

今度は、辞書を用いたブルートフォース攻撃を試してみたいと思います。

参考文献

ABOUT ME
kawa.xxx
都内のIT系企業に勤める会社員。自分の備忘録的なアウトプット用の場所で、ボルダリングやガシェッド、セキュリティ、カメラの話題が中心です。
記事URLをコピーしました