Wordpressのセキュリティチェックツール WPScan の使い方の話
Wordpressのセキュリティチェックツール WPScan の使い方を解説する話です。
WPScan とは
WPScan とはWordPressをインターネット経由でセキュリティチェックしてくれるツールです。
インターネット経由なので、WordPressのサイトにどの様な脆弱性が潜んでいるのかを、攻撃者の立場で知ることができます。
今回の記事ではわざとバージョンの低いWordPressサイトを用意して、それに対してWPScanを実行してみます。
WPScanをインストールする
サーバにWPScanをインストールします。
手順は基本的に公式サイトhttps://wpscan.org/ を参考に作成しました。
インストールするサーバは AWS(Amazon Web Service)上の Amazon Linux を対象としました。
(Amazon Linux は RHEL や CentOS と似てるので、これらでも以下の手順でできると思います。)
まず Ruby をインストールします。
2017年 8月30日 時点で推奨バージョンが 2.4.1 だったのでそれをインストールしました。
$ sudo yum -y install gcc zlib-devel openssl-devel readline-devel libffi-devel $ wget http://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz $ tar zxvf ruby-2.4.1.tar.gz $ cd ruby-2.4.1 $ ./configure $ make $ sudo make install
次に Rubygem をインストールします。
$ wget http://production.cf.rubygems.org/rubygems/rubygems-2.6.13.zip $ unzip rubygems-2.6.13.zip $ ruby setup.rb $ sudo ruby setup.rb
最後にWPScan をインストールします。
$ yum -y install ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git $ cd ~ $ curl -sSL https://rvm.io/mpapis.asc | gpg --import - $ curl -sSL https://get.rvm.io | bash -s stable $ source ~/.rvm/scripts/rvm $ echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc $ rvm install 2.4.1 $ rvm use 2.4.1 --default $ echo "gem: --no-ri --no-rdoc" > ~/.gemrc $ git clone https://github.com/wpscanteam/wpscan.git $ cd wpscan $ gem install bundler $ bundle install --without test
以上でインストールが完了しました。
WPScan を実行する
実行しました、結構な量の脆弱性が外部からのアクセスのみでわかりました。
以下の [!] がついた項目がCriticalな脆弱性ですね。
※ 結構長いのでさらっと読み流してください。
$ ruby wpscan.rb -u 54.250.246.4 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.4-dev Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://54.250.246.4/ [+] Started: Wed Aug 30 04:39:44 2017 [!] The WordPress 'http://54.250.246.4/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.2.32 (Amazon) [+] Interesting header: X-POWERED-BY: PHP/5.3.29 [+] XML-RPC Interface available under: http://54.250.246.4/xmlrpc.php [!] Includes directory has directory listing enabled: http://54.250.246.4/wp-includes/ [+] WordPress version 3.9.2 (Released on 2014-08-06) identified from meta generator, readme, links opml [!] 42 vulnerabilities identified from the version number [!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout Reference: https://wpvulndb.com/vulnerabilities/7531 Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868 [i] Fixed in: 4.0 [!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7680 Reference: http://klikki.fi/adv/wordpress.html Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ Reference: http://klikki.fi/adv/wordpress_update.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031 [i] Fixed in: 4.0 [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS) Reference: https://wpvulndb.com/vulnerabilities/7681 Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034 Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos Reference: https://www.exploit-db.com/exploits/35413/ Reference: https://www.exploit-db.com/exploits/35414/ [i] Fixed in: 4.0.1 [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF) Reference: https://wpvulndb.com/vulnerabilities/7696 Reference: http://www.securityfocus.com/bid/71234/ Reference: https://core.trac.wordpress.org/changeset/30444 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038 [i] Fixed in: 4.0.1 [!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists Reference: https://wpvulndb.com/vulnerabilities/7697 Reference: https://core.trac.wordpress.org/changeset/30422 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032 [i] Fixed in: 4.0.1 [!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7929 Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/ Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438 [i] Fixed in: 4.1.2 [!] Title: WordPress <= 4.0 - CSRF in wp-login.php Password Reset Reference: https://wpvulndb.com/vulnerabilities/7691 Reference: https://core.trac.wordpress.org/changeset/30418 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033 [i] Fixed in: 4.0.1 [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8111 Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/ Reference: https://twitter.com/klikkioy/status/624264122570526720 Reference: https://klikki.fi/adv/wordpress3.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623 [i] Fixed in: 3.9.7 [!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8126 Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213 [i] Fixed in: 3.9.8 [!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack Reference: https://wpvulndb.com/vulnerabilities/8130 Reference: https://core.trac.wordpress.org/changeset/33536 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730 [i] Fixed in: 3.9.8 [!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8131 Reference: https://core.trac.wordpress.org/changeset/33529 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732 [i] Fixed in: 3.9.8 [!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8132 Reference: https://core.trac.wordpress.org/changeset/33541 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733 [i] Fixed in: 3.9.8 [!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8133 Reference: https://core.trac.wordpress.org/changeset/33549 Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734 [i] Fixed in: 3.9.8 [!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8186 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/ Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714 [i] Fixed in: 3.9.9 [!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8187 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989 [i] Fixed in: 3.9.9 [!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue Reference: https://wpvulndb.com/vulnerabilities/8188 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/ Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715 [i] Fixed in: 3.9.9 [!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/8358 Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564 [i] Fixed in: 3.9.10 [!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) Reference: https://wpvulndb.com/vulnerabilities/8376 Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ Reference: https://core.trac.wordpress.org/changeset/36435 Reference: https://hackerone.com/reports/110801 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222 [i] Fixed in: 3.9.11 [!] Title: WordPress 3.7-4.4.1 - Open Redirect Reference: https://wpvulndb.com/vulnerabilities/8377 Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ Reference: https://core.trac.wordpress.org/changeset/36444 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221 [i] Fixed in: 3.9.11 [!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses Reference: https://wpvulndb.com/vulnerabilities/8473 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029 [i] Fixed in: 4.5 [!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings Reference: https://wpvulndb.com/vulnerabilities/8474 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634 [i] Fixed in: 4.5 [!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF Reference: https://wpvulndb.com/vulnerabilities/8475 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635 [i] Fixed in: 4.5 [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME) Reference: https://wpvulndb.com/vulnerabilities/8489 Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/ Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8 Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e Reference: http://avlidienbrunn.com/wp_some_loader.php Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566 [i] Fixed in: 3.9.12 [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure Reference: https://wpvulndb.com/vulnerabilities/8519 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1 Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835 [i] Fixed in: 3.9.13 [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post Reference: https://wpvulndb.com/vulnerabilities/8520 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837 [i] Fixed in: 3.9.13 [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename Reference: https://wpvulndb.com/vulnerabilities/8615 Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0 Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html Reference: http://seclists.org/fulldisclosure/2016/Sep/6 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168 [i] Fixed in: 3.9.14 [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader Reference: https://wpvulndb.com/vulnerabilities/8616 Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169 [i] Fixed in: 3.9.14 [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php Reference: https://wpvulndb.com/vulnerabilities/8716 Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback Reference: https://wpvulndb.com/vulnerabilities/8718 Reference: https://www.mehmetince.net/low-severity-wordpress/ Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490 [i] Fixed in: 3.9.15 [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default Reference: https://wpvulndb.com/vulnerabilities/8719 Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491 [i] Fixed in: 3.9.15 [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) Reference: https://wpvulndb.com/vulnerabilities/8720 Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) Reference: https://wpvulndb.com/vulnerabilities/8721 Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8730 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611 [i] Fixed in: 3.9.16 [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata Reference: https://wpvulndb.com/vulnerabilities/8765 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html Reference: http://seclists.org/oss-sec/2017/q1/563 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814 [i] Fixed in: 3.9.17 [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation Reference: https://wpvulndb.com/vulnerabilities/8766 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815 [i] Fixed in: 3.9.17 [!] Title: WordPress 2.3-4.7.5 - Host Header Injection in Password Reset Reference: https://wpvulndb.com/vulnerabilities/8807 Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation Reference: https://wpvulndb.com/vulnerabilities/8815 Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066 [i] Fixed in: 3.9.19 [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC Reference: https://wpvulndb.com/vulnerabilities/8816 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062 [i] Fixed in: 3.9.19 [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks Reference: https://wpvulndb.com/vulnerabilities/8817 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065 [i] Fixed in: 3.9.19 [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF Reference: https://wpvulndb.com/vulnerabilities/8818 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064 [i] Fixed in: 3.9.19 [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS Reference: https://wpvulndb.com/vulnerabilities/8819 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 Reference: https://hackerone.com/reports/203515 Reference: https://hackerone.com/reports/203515 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061 [i] Fixed in: 3.9.19 [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF Reference: https://wpvulndb.com/vulnerabilities/8820 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 [i] Fixed in: 3.9.19 [+] WordPress theme in use: twentyfourteen - v1.1 [+] Name: twentyfourteen - v1.1 | Last updated: 2017-06-08T00:00:00.000Z | Location: http://54.250.246.4/wp-content/themes/twentyfourteen/ [!] The version is out of date, the latest version is 2.0 | Style URL: http://54.250.246.4/wp-content/themes/twentyfourteen/style.css | Theme Name: Twenty Fourteen | Theme URI: http://wordpress.org/themes/twentyfourteen | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des... | Author: the WordPress team | Author URI: http://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Finished: Wed Aug 30 04:39:45 2017 [+] Requests Done: 73 [+] Memory used: 25.367 MB [+] Elapsed time: 00:00:00
いくつかピックアップして読み取ると以下の様な感じですね。
- readme.html が外部から見れる様になってる (バージョン情報が丸わかりなので危険)
- wp-includes 以下のディレクトリが外部から見れる様になっている
- 42個 の脆弱性が見つかっている(バージョンが古いことに起因)
- テーマ Twenty Fourteen のバージョンが古い
外部からのアクセスのみでこれだけの情報がわかります。知識のある人から見たらすぐにでサービス停止に持っていける様な情報です。
脆弱性の多くはバージョンが古いことに起因しているので、少なくともこれを見たらバージョン上げようという気になりますね。
この様に WPScan を使うと外部からのセキュリティチェックを実施することができます。
また、オプションも色々あり、攻撃を仕掛けたりログインを総当たりのパスワードで試みたり、ということもできます。
攻撃者のツールとしても使うことができてしまいますね。(やめてください。)