iT邦幫忙

2021 iThome 鐵人賽

DAY 14
1
Security

Kali Linux 工具筆記系列 第 14

Day 14 網頁分析 - Web Application Analysis (wpscan - WordPress vulnerability scanner)

前言

又進到一個新的分類Web Application Analysis,顧名思義就知道要來分析網站的弱點了,今天要介紹的工具是wpscan,是一個WordPress vulnerability scanner,非常有針對性的一個工具,所以在開始介紹之前有必要先提一下什麼是WordPress。

什麼是WordPress

有架站需求的朋友應該都有聽過這個名字,WordPress是一個非常熱門的網頁製作平台、網站管理系統。根據w3techs的統計,市佔率截至今年八月已經成長到42.6%。然而WordPress還細分成WordPress.com以及WordPress.org,前者是一個網頁製作平台,在上面可以套用大量的佈景主題、外掛,能滿足各種網頁需求,像是架設個人部落格、品牌網站等等,但也有種種限制來自平台方,很難達到較細部的客製需求;而後者WordPress.org是一套軟體,讓我們可以快速在主機上架設起網站,同樣也能套用各種資源,但不同的是,這些資源包含程式碼都能修改,所以也更適合有程式基礎的人。

工具介紹

不管透過官方平台或是自己架設的WordPress網站,就都是這次介紹的工具wpscan鎖定的目標了,它位於Kali的Web Application Analysis分類之中,直接執行可以看到介紹與基本用法

Executing “wpscan --help”
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Usage: wpscan [options]
        --url URL                                 The URL of the blog to scan
                                                  Allowed Protocols: http, https
                                                  Default Protocol if none provided: http

使用方法很簡單,輸入目標機就好,這邊我們用之前Day2建立的靶機來測試

wpscan --url http://192.168.1.86

結果很快出來了...什麼都沒有

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

尷尬了,因為靶機上根本不是屬於WordPress體系的網站,但又不能去找線上網站來測試,所以只好自己架一個了。

架設WordPress網站

因為我們要自己在機器上架設網站,所以不會是去WordPress.com,而是到WordPress.org下載頁面找尋適合的版本。因為目的是想體驗掃描工具,所以這裡我選擇了一個比較舊的版本wordpress-4.7-RC1.tar.gz,預期是直接安裝在Day2介紹的靶機上。

  1. ssh進入到靶機,下載檔案並解開
# 下載檔案
wget --no-check-certificate https://wordpress.org/wordpress-4.7-RC1.tar.gz

# 解壓縮
tar xvf wordpress-4.7-RC1.tar.gz
  1. 因為之後wordpress的設定會需要設定mysql,所以先在這裡準備好
# 以root登入,密碼預設是空的,直接enter就能進入mysql shell
mysql -uroot -p

進到mysql後,新建一張名叫wordpress的表後離開

mysql>CREATE DATABASE wordpress;
mysql>exit;
  1. 將靶機當前的apache停掉
# 關閉apache2
sudo /etc/init.d/apache2 stop

# 備份原本的www資料夾,這是原本apache2運行的網站根目錄
sudo mv /var/www /var/www.bak

# 建立軟連結,將步驟1下載解開的資料夾指到apache2根目錄
ln -s /home/msfadmin/wordpress /var/www

# 重新啟動apache2
sudo /etd/init.d/apache2 start
  1. 開啟瀏覽器前往靶機網頁頁面
    當apache2重新開始運行,這樣透過靶機http://192.168.1.86就能看到wordpress的初始頁面
    https://ithelp.ithome.com.tw/upload/images/20210929/201403176ht3G9uqc9.png

顯然還需要經過設定才能把網站架起來,所以點擊按鈕繼續後續設定。這邊根據前面mysql設定即可,如果跟我一樣用靶機,那這邊就跟著圖修改UsernamerootPassword留白即可。
https://ithelp.ithome.com.tw/upload/images/20210929/20140317IQxmxm1IDM.png

接著可能會因為軟體無法寫入設定檔,所以會要求自行編輯檔案。
https://ithelp.ithome.com.tw/upload/images/20210929/20140317Q3K97jSCvX.png

# 先進到 /var/www (記得這邊已經指到/home/msfadmin/wordpress)
cd /var/www

# 透過 vi 或其他編輯器,將網頁上顯示的內容複製到檔案裡
vi wp-config.php

自行編輯wp-config.php後才能繼續下一步,這邊就填入一些基本資訊就可以了。
https://ithelp.ithome.com.tw/upload/images/20210929/20140317dTmlfFxxNx.png

看到這頁就表示網站已經設定完成,所有的一切都是預設樣式,但這並不妨礙我們測試。
https://ithelp.ithome.com.tw/upload/images/20210929/20140317GknYlrtV2n.png

再次使用wpscan

經過前面一連串步驟,我們終於有了自己的WordPress網站可自由測試了,所以事不宜遲馬上開打,別忘了這裡我們回到Kali使用wpscan來測試目標靶機,不是在靶機上繼續操作囉。

# 192.168.1.86是我的靶機IP
wpscan --url http://192.168.1.86

這次就有偵測結果了。

         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.1.86/ [192.168.1.86]
[+] Started: Wed Sep 29 09:52:00 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.2.8 (Ubuntu) DAV/2
 |  - X-Powered-By: PHP/5.2.4-2ubuntu5.10
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.86/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.1.86/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.1.86/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7 identified (Insecure, released on 2016-12-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.1.86/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.7'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.1.86/, Match: 'WordPress 4.7'

[+] WordPress theme in use: twentyseventeen
 | Location: http://192.168.1.86/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.1.86/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://192.168.1.86/wp-content/themes/twentyseventeen/style.css?ver=4.7-RC1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with immersive featured images and subtle animations. With...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.1.86/wp-content/themes/twentyseventeen/style.css?ver=4.7-RC1, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <> (105 / 137) 76.64%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (110 / 137) 80.29%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (117 / 137) 85.40%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (124 / 137) 90.51%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (132 / 137) 96.35%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (136 / 137) 99.27%  ETA: 00:00:0 Checking Config Backups - Time: 00:00:01 <> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Sep 29 09:52:12 2021
[+] Requests Done: 172
[+] Cached Requests: 5
[+] Data Sent: 42.513 KB
[+] Data Received: 347.278 KB
[+] Memory used: 232.383 MB
[+] Elapsed time: 00:00:12

結語

今天我們實際體驗了如何架設爛網站,透過自己架設的簡易WordPress網站,來體驗wpscan這套工具的使用方法。雖然目前我手邊並沒有實際在管理WordPress網站,但也許未來會需要也說不定。但其實也更好奇,目前網站架設生態系這麼複雜,各種框架像是神仙大亂鬥,是否都有其針對性的掃描工具呢?


上一篇
Day 13 漏洞分析 - Vulnerability Analysis (unix-privesc-check)
下一篇
Day 15 網頁分析 - Web Application Analysis (網頁快照截圖 - cutycapt )
系列文
Kali Linux 工具筆記31

尚未有邦友留言

立即登入留言