在Kali Linux中使用WPScan检测WordPress网站的安全性
Computer photo created by freepik - www.freepik.com
原文地址 再一次声明:本文介绍的工具仅用于安全性测试,使用请遵守读者所在国家的规定,本文的原作者和翻译者不承担任何责任。
检测网站的漏洞可以帮助你了解网站中潜在的安全威胁。若这些安全威胁持续存在,黑客就能轻而易举的侵入你的网站。阻止黑客侵入您的网站是当务之急。
WPScan是一款专门用于WordPress网站的黑盒漏洞扫描程序。 在这里,我们将向您展示如何在Kali Linux中使用WPScan测试WordPress网站的安全性。
入侵的其中一个思路是:只要破解了管理员账号的密码,就可以轻松地获取WordPress网站里的内容,或者其他目的。
Windows不能运行这款软件,不过,它可以在macOS和Linux系统中运行。另外它也预装在一些Lnux发行版中,包括BackBox Linux,Kali Linux,Pentoo,SamuraiWTF和BlackArch。
如果您不熟悉WordPress,那么我在这里快速说一下:它是一款基于PHP和mySQL的开源内容管理系统。本文仅探讨如何使用WPScan,如何使用Kali Linux不在本文所讨论的范围内。
严重声明
我们必须指出,我们不同意使用WPScan对未经授权的网站做测试。您只应使用WPScan扫描您自己的网站以测试漏洞。
如果您是经过认证或受雇的渗透测试人员,并且有权入侵某个网站(或得到网站所有人的同意),那也很好。
不要以不道德的方式使用WPScan!
安装WPScan
如果您的操作系统里没有安装WPScan,则可以按以下方式安装:
安装Ruby和必备的库
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
下载WPScan并安装
git clone https://github.com/wpscanteam/wpscan.git
更新漏洞库
wpscan --update
安装好WPScan之后,就可以从终端中使用它。WPScan可以测试各种漏洞。
在这里,我将演示如何使用它来查找网站中存在的用户名,并获取用户的密码。
查找用户名
在进入WordPress网站后台之前,您需要一个用户名。
不幸的是,许多人使用“admin”或“administrator”作为用户名,这是一种不良习惯。用户名应该很难猜到。
虽然我们可以尝试直接用“admin”用户登录网站,但是为了效率,最好还是扫描网站里所有的用户名。
如果您已经打开了终端,则可以发出第一个命令。此命令用于在WordPress网站上搜索所有用户,然后显示结果。在终端里输入以下内容:
WPScan --url http://www.example.net --enumerate user
将“ www.example.net”替换为您要测试的网站。
按下回车键,将即刻开始扫描。完成后,它将显示与该网站关联的所有用户名。
[+] Enumerating usernames ...
[+] Identified the following 3 user/s:
+----+---------------+------+
| Id | Login | Name |
+----+---------------+------+
| 10 | administrator | |
| 25 | testing | |
| 69 | sam | Sam |
+----+---------------+------+
准备暴力破解密码
如上图所示,它发现了3个用户。
默认情况下,WordPress会给ID为1的用户分配管理员权限。但这里没有ID为1的用户,意味着该用户很可能已被删除,并且该网站的站长添加了新的用户(其中一定会有管理员,目前我们还不知道哪位是管理员(也会有人特意注册一个“admin”账号用来引诱黑客进行攻击,来“抓捕”黑客))。
根据经验,在破解密码时,最好从列表顶部开始,然后逐步往下尝试。管理员的ID号码更有可能是较小的数字。
如果您不熟悉“暴力破解”一词: 基本上是一种反复试验的方法,使用不同的用户名和密码组合进行测试,直到找到正确的组合为止。
由于我们现在已经得到了用户名列表,因此我们只需要一个密码列表。
使用WPScan,您可以附加一个密码列表:它是一个文本文件,带有各种密码。当您使用WPScan进行暴力破解时,它会尝试使用随附的用户名和密码文件多次登录该网站。这就是为什么一定要在创建帐户时使用强密码的原因。
您可以创建自己的密码列表,也可以从互联网上获取到。一些操作系统也会附带密码列表。例如,Kali Linux在这里存储了列表:/usr/share/wordlists。
注意:列表越大,暴力破解所花费的时间就越长。如果您的单词列表中包含超过一百万个密码,则可能要花几个小时才能破解。
开始尝试破解
现在您已经有了用户名和密码列表,您现在可以尝试强行进入网站。输入以下命令:
WPScan --url http://www.example.net --wordlist /root/Desktop/my_wordlist.txt --username administrator
注意更改“ www.example.net”至您想要测试的网站,并确保密码列表的路径和用户名正确。
然后去泡杯咖啡吧,因为这个过程可能需要很长时间…… WPScan完成扫描后,它将为您提供用户名和密码。
[+] Starting the password brute forcer [+] [SUCCESS] Login : administrator Password : 1234567890 Brute Forceing 'administrator' Time: 00:00:00 <=== > (8/15146) 0% ETA: 00:00:00 +----+---------------+------+------------+ | Id | Login | Name | Password | +----+---------------+------+------------+ | | administrator | | 1234567890 | +----+---------------+------+------------+
如图所示,密码是“1234567890”。就这样,我们成功的获得到了网站的一个重要的安全缺口。
其他功能——漏洞检测
如前所述,WPScan还可以扫描WordPress网站里的潜在的安全漏洞,输入以下命令:
wpscan --url http://www.example.net
输出(节选)(双斜杠处为我的解说):
[+] WordPress version 4.8 (Released on 2017-06-08) identified from sitemap generator //WordPress版本仅为4.8!说明站长可能从不更新WordPress
[!] 18 vulnerabilities identified from the version number
[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905 //WPScan还贴心的在每个漏洞下贴出了相关链接甚至是复现方法
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
[i] Fixed in: 4.8.2
[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8910
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
[i] Fixed in: 4.8.2
[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Reference: https://wpvulndb.com/vulnerabilities/8911
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41457
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
[i] Fixed in: 4.8.2
[!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
Reference: https://wpvulndb.com/vulnerabilities/8912
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41397
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
[i] Fixed in: 4.8.2
[!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
Reference: https://wpvulndb.com/vulnerabilities/8913
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41448
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
[i] Fixed in: 4.8.2
[!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
Reference: https://wpvulndb.com/vulnerabilities/8914
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41395
Reference: https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
[i] Fixed in: 4.8.2
[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
[!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Reference: https://wpvulndb.com/vulnerabilities/8941
Reference: https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
Reference: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
Reference: https://twitter.com/ircmaxell/status/923662170092638208
Reference: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
[i] Fixed in: 4.8.3
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.8.4
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.8.4
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.8.4
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.8.4
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.8.5
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
Reference: https://wpvulndb.com/vulnerabilities/9053
Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
[i] Fixed in: 4.8.6
[!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
Reference: https://wpvulndb.com/vulnerabilities/9054
Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
[i] Fixed in: 4.8.6
[!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
Reference: https://wpvulndb.com/vulnerabilities/9055
Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
[i] Fixed in: 4.8.6
[!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
Reference: https://wpvulndb.com/vulnerabilities/9100
Reference: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
Reference: http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
Reference: https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
Reference: https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
Reference: https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
[i] Fixed in: 4.8.7
在检测完成后即可看到,WPScan扫描出来了多个漏洞,可被黑客利用。经过我的“尝试”,其中大概有那么两个可能被利用。
不过幸好,这些漏洞中的多数已经不在最新版的WordPress中存在了。所以保持你的WordPress(及其插件和主题)为最新版本也能大幅提升安全性,不要因为嫌麻烦或者懒得更新而放弃更新!不更新WordPress更有可能会有黑客利用未被修复的漏洞入侵网站。
其他功能——插件和主题探测
同样,如前文所述,插件和主题也有可能蕴含着一些安全漏洞,WPScan可以检测网站上安装着哪些插件和激活的主题。
输入:
wpscan –url http://www.example.net –enumerate p #插件
或者
wpscan –url http://www.example.net –enumerate t #主题
输出(节选):
[+] WordPress theme in use: Blackoot Lite - 1.1.22 [+] Name: Blackoot Lite - 1.1.22 | Location: http://www.example.net/wp-content/themes/blackoot-lite/ | Style URL: http://www.example.net/wp-content/themes/blackoot-lite/style.css | Referenced style.css: wp-content/themes/blackoot-lite/css/blackoot.min.css | Theme Name: Blackoot Lite | Theme URI: https://www.iceablethemes.com/shop/blackoot-lite/ | Description: An Elegant, Multi-purpose, Responsive WordPress Theme. Perfect for photography or music oriented blogs as well as portfolio and creative business websites. It features two widgetizable areas in the sidebar and the optional footer, two custom menu locations in the navbar and footer, optional tagline display, custom logo and favicon, custom header image and custom background. Blackoot Lite is also translation ready for non-English sites, a .pot file is included to get started quickly, and a French (fr_FR) translation is already included. | Author: Iceable Media | Author URI: https://www.iceablethemes.com [+] Enumerating plugins from passive detection ... | 2 plugins found: [+] Name: akismet - v4.1.2 | Latest version: 4.1.2 (up to date) | Last updated: 2019-05-14T00:00:00.000Z | Location: http://www.example.net/wp-content/plugins/akismet/ | Readme: http://www.example.net/wp-content/plugins/akismet/readme.txt [+] Name: classic-editor - v1.5 | Latest version: 1.5 (up to date) | Last updated: 2019-07-08T20:39:05.000Z | Location: http://www.example.net/wp-content/plugins/classic-editor/ | Readme: http://www.example.net/wp-content/plugins/classic-editor/readme.txt
结束语
需要特别注意的是,如果WordPress网站安装了安全插件,则黑客攻击的难度可能会提升(这是好事)。比如网站上安装了“尝试多次登录失败,则会封禁对应的IP地址”的插件,则暴力破解会被无效化(只要封禁IP地址的时间够长,就可以完全阻挡暴力破解密码)。
因此请记住,WPScan并不是“万能”的。如果你的网站承受住了WPScan的测试,那么恭喜你!你有一个很安全的网站,请继续保持! 感谢各位的阅读。也请各位注意网站的安全,做好必要的防护。
发这篇文章除了为了介绍WPScan这个工具之外,也想告诉某人:请永远保持一颗谦卑的心。注:本文仅对相应的网站的安全性进行测试,没有通过检测出的漏洞对该网站实施攻击等操作。