ITオムライス

WordPressのスキャンツールのWPScanを試す

2019-07-07 技術系

WordPressの脆弱性を診断するスキャンツールのWPScanを試しました。

スキャンするWordPressはインストール直後の状態によく使われているプラグインのContact Form 7だけ入れたものを用意しました。

以下が検証用のサーバのバージョンです。

Webサーバ : Apache/2.4.29 (Ubuntu)
WordPress : 5.2.2–ja 
Contact Form 7 : 5.1.3 

インストール

WordPressのスキャンツールでは有名なWPScanを最初に試しました。インストールは公式ページに書いてある通りにコマンドを実行します。

WPScan a WordPress Vulnerability Scanner

wpscanteam/wpscan

git clone https://github.com/wpscanteam/wpscan
cd wpscan/
bundle install && rake install 

スキャンの実行

スキャンを開始するには以下のコマンドを実行するだけで簡単なスキャンが始まります。

wpscan --url <対象のURL>

実行結果は以下のようになります。Webサーバの種類やバージョン、使っているプラグインの名前とバージョンが確認できます。

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.5
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.0.2.10/wordpress/
[+] Started: Mon Jul  8 04:08:10 2019

Interesting Finding(s):

[+] http://10.0.2.10/wordpress/
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://10.0.2.10/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.0.2.10/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.0.2.10/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://10.0.2.10/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Latest, released on 2019-06-18).
 | Detected By: Emoji Settings (Passive Detection)
 |  - http://10.0.2.10/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.0.2.10/wordpress/, Match: 'WordPress 5.2.2'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] contact-form-7
 | Location: http://10.0.2.10/wordpress/wp-content/plugins/contact-form-7/
 | Latest Version: 5.1.3 (up to date)
 | Last Updated: 2019-05-19T16:15:00.000Z
 |
 | Detected By: Hidden Input (Passive Detection)
 |
 | Version: 5.1.3 (100% confidence)
 | Detected By: Hidden Input (Passive Detection)
 |  - http://10.0.2.10/wordpress/, Match: '5.1.3'
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://10.0.2.10/wordpress/wp-content/plugins/contact-form-7/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://10.0.2.10/wordpress/wp-content/plugins/contact-form-7/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.


[+] Finished: Mon Jul  8 04:08:14 2019
[+] Requests Done: 63
[+] Cached Requests: 4
[+] Data Sent: 10.993 KB
[+] Data Received: 23.677 MB
[+] Memory used: 204.113 MB
[+] Elapsed time: 00:00:03

次にログインユーザのスキャンを行いました。さっきのコマンドに -e u オプションをつけるだけです。

wpscan --url http://10.0.2.10/wordpress/ -e u
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.5
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://10.0.2.10/wordpress/
[+] Started: Mon Jul  8 04:22:33 2019

Interesting Finding(s):

[+] http://10.0.2.10/wordpress/
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://10.0.2.10/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.0.2.10/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.0.2.10/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://10.0.2.10/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Latest, released on 2019-06-18).
 | Detected By: Emoji Settings (Passive Detection)
 |  - http://10.0.2.10/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.0.2.10/wordpress/, Match: 'WordPress 5.2.2'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] nobarudo
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)


[+] Finished: Mon Jul  8 04:22:35 2019
[+] Requests Done: 46
[+] Cached Requests: 4
[+] Data Sent: 8.818 KB
[+] Data Received: 97.026 KB
[+] Memory used: 101.586 MB
[+] Elapsed time: 00:00:02

以下のように実際にログインしているユーザの名前が取得できていることが確認できます。

[i] User(s) Identified:
 [+] nobarudo
  | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

感想

以下の内容が簡単に取得できました。

  • Webサーバの種類、バージョン
  • WordPressのバージョン
  • プラグインの種類、バージョン
  • ログインユーザ名

すごく簡単にスキャンできて時間もかかりませんでした。内容もまとまっているので、WordPressのブラックボックステストを行いたい場合はすごくいいと思いました。

参考

WPScan a WordPress Vulnerability Scanner

WPScanで友人のWordPressサイトをハッキングしてみた話 | ネクスト株式会社

wpscanteam/wpscan