怎样用 WPScan,Nmap 和 Nikto 扫描和检查一个 WordPress 站点的
介绍
数百万个网站用着 WordPress ,这当然是有原因的。WordPress 是众多内容管理系统中对开发者最友好的,本质上说你可以用它做任何事情。不幸的是,每天都有些吓人的报告说某个主要的网站被黑了,或者某个重要的数据库被泄露了之类的,吓得人一愣一愣的。
如果你还没有安装 WordPress ,可以看下下面的文章。
在基于 Debian 的系统上:
- 如何在 Ubuntu 上安装 WordPress http://www.linuxidc.com/Linux/2015-02/112648.htm
在基于 RPM 的系统上:
- CentOS 6.4 安装配置LNMP服务器(Nginx+PHP+MySQL) 及搭建Wordpress http://www.linuxidc.com/Linux/2014-08/105128.htm
我之前的文章 如何安全加固 WordPress 站点 里面列出的备忘录为读者维护 WordPress 的安全提供了一点帮助。
在这篇文章里面,我将介绍 wpscan 的安装过程,以及怎样使用 wpscan 来定位那些已知的会让你的站点变得易受攻击的插件和主题。还有怎样安装和使用一款免费的网络探索和攻击的安全扫描软件 nmap 。最后展示的是使用 nikto 的步骤。
用 WPScan 测试 WordPress 中易受攻击的插件和主题
WPScan 是一个 WordPress 黑盒安全扫描软件,用 Ruby 写成,它是专门用来寻找已知的 WordPress 的弱点的。它为安全专家和 WordPress 管理员提供了一条评估他们的 WordPress 站点的途径。它的基于开源代码,在 GPLv3 下发行。
下载和安装 WPScan
在我们开始安装之前,很重要的一点是要注意 wpscan 不能在 Windows 下工作,所以你需要使用一台 Linux 或者 OS X 的机器来完成下面的事情。如果你只有 Windows 的系统,拿你可以下载一个 Virtualbox 然后在虚拟机里面安装任何你喜欢的 Linux 发行版本。
WPScan 的源代码放在 Github 上,所以需要先安装 git(LCTT 译注:其实你也可以直接从 Github 上下载打包的源代码,而不必非得装 git )。
<span class="pln">sudo apt</span><span class="pun">-</span><span class="kwd">get</span><span class="pln"> install git</span>
git 装好了,我们就要安装 wpscan 的依赖包了。
<span class="pln">sudo apt</span><span class="pun">-</span><span class="kwd">get</span><span class="pln"> install libcurl4</span><span class="pun">-</span><span class="pln">gnutls</span><span class="pun">-</span><span class="pln">dev libopenssl</span><span class="pun">-</span><span class="pln">ruby libxml2 libxml2</span><span class="pun">-</span><span class="pln">dev libxslt1</span><span class="pun">-</span><span class="pln">dev ruby</span><span class="pun">-</span><span class="pln">dev ruby1</span><span class="pun">.</span><span class="lit">9.3</span>
把 wpscan 从 github 上 clone 下来。
<span class="pln">git clone https</span><span class="pun">:</span><span class="com">//github.com/wpscanteam/wpscan.git</span>
现在我们可以进入这个新建立的 wpscan 目录,通过 bundler 安装必要的 ruby 包。
<span class="pln">cd wpscan</span>
<span class="pln">sudo gem install bundler </span><span class="pun">&&</span><span class="pln"> bundle install </span><span class="pun">--</span><span class="pln">without test development</span>
现在 wpscan 装好了,我们就可以用它来搜索我们 WordPress 站点潜在的易受攻击的文件。wpcan 最重要的方面是它能列出不仅是插件和主题,也能列出用户和缩略图的功能。WPScan 也可以用来暴力破解 WordPress —— 但这不是本文要讨论的内容。
更新 WPScan
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">update</span>
列举插件
要列出所有插件,只需要加上 “--enumerate p” 参数,就像这样:
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.yoursiteurl.com --enumerate p</span>
或者仅仅列出易受攻击的插件:
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.yoursiteurl.com --enumerate vp</span>
下面是一些例子:
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> ukiscet</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/plugins/akismet/</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> audio</span><span class="pun">-</span><span class="pln">player</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/plugins/audio-player/</span>
<span class="pun">|</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Title</span><span class="pun">:</span><span class="typ">Audio</span><span class="typ">Player</span><span class="pun">-</span><span class="pln"> player</span><span class="pun">.</span><span class="pln">swf playerID </span><span class="typ">Parameter</span><span class="pln"> XSS</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//seclists.org/bugtraq/2013/Feb/35</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//secunia.com/advisories/52083</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//osvdb.org/89963</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Fixed</span><span class="kwd">in</span><span class="pun">:</span><span class="lit">2.0</span><span class="pun">.</span><span class="lit">4.6</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> bbpress </span><span class="pun">-</span><span class="pln"> v2</span><span class="pun">.</span><span class="lit">3.2</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/plugins/bbpress/</span>
<span class="pun">|</span><span class="typ">Readme</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/plugins/bbpress/readme.txt</span>
<span class="pun">|</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Title</span><span class="pun">:</span><span class="typ">BBPress</span><span class="pun">-</span><span class="typ">Multiple</span><span class="typ">Script</span><span class="typ">Malformed</span><span class="typ">Input</span><span class="typ">Path</span><span class="typ">Disclosure</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//xforce.iss.net/xforce/xfdb/78244</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//packetstormsecurity.com/files/116123/</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//osvdb.org/86399</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//www.exploit-db.com/exploits/22396/</span>
<span class="pun">|</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Title</span><span class="pun">:</span><span class="typ">BBPress</span><span class="pun">-</span><span class="pln"> forum</span><span class="pun">.</span><span class="pln">php page </span><span class="typ">Parameter</span><span class="pln"> SQL </span><span class="typ">Injection</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//xforce.iss.net/xforce/xfdb/78244</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//packetstormsecurity.com/files/116123/</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//osvdb.org/86400</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//www.exploit-db.com/exploits/22396/</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> contact</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/plugins/contact/</span>
列举主题
列举主题和列举插件差不多,只要用"--enumerate t"就可以了。
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.host-name.com --enumerate t</span>
或者只列出易受攻击的主题:
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.host-name.com --enumerate vt</span>
例子的输出:
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> path</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/path/</span>
<span class="pun">|</span><span class="typ">Style</span><span class="pln"> URL</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/path/style.css</span>
<span class="pun">|</span><span class="typ">Description</span><span class="pun">:</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> pub</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/pub/</span>
<span class="pun">|</span><span class="typ">Style</span><span class="pln"> URL</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/pub/style.css</span>
<span class="pun">|</span><span class="typ">Description</span><span class="pun">:</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> rockstar</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/rockstar/</span>
<span class="pun">|</span><span class="typ">Style</span><span class="pln"> URL</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/rockstar/style.css</span>
<span class="pun">|</span><span class="typ">Description</span><span class="pun">:</span>
<span class="pun">|</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Title</span><span class="pun">:</span><span class="typ">WooThemes</span><span class="typ">WooFramework</span><span class="typ">Remote</span><span class="typ">Unauthenticated</span><span class="typ">Shortcode</span><span class="typ">Execution</span>
<span class="pun">|</span><span class="pun">*</span><span class="typ">Reference</span><span class="pun">:</span><span class="pln"> https</span><span class="pun">:</span><span class="com">//gist.github.com/2523147</span>
<span class="pun">|</span><span class="typ">Name</span><span class="pun">:</span><span class="pln"> twentyten</span>
<span class="pun">|</span><span class="typ">Location</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/twentyten/</span>
<span class="pun">|</span><span class="typ">Style</span><span class="pln"> URL</span><span class="pun">:</span><span class="pln"> http</span><span class="pun">:</span><span class="com">//********.com/wp-content/themes/twentyten/style.css</span>
<span class="pun">|</span><span class="typ">Description</span><span class="pun">:</span>
列举用户
WPscan 也可以用来列举某个 WordPress 站点的用户和有效的登录记录。攻击者常常这么做——为了获得一个用户清单,好进行暴力破解。
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.host-name.com --enumerate u</span>
列举 Timthumb 文件
关于 WPscan ,我要说的最后一个功能是列举 timthub (缩略图)相关的文件。近年来,timthumb 已经成为攻击者眼里的一个常见目标,因为无数的漏洞被找出来并发到论坛上、邮件列表等等地方。用下面的命令可以通过 wpscan 找出易受攻击的 timthub 文件:
<span class="pln">ruby wpscan</span><span class="pun">.</span><span class="pln">rb </span><span class="pun">--</span><span class="pln">url http</span><span class="pun">(</span><span class="pln">s</span><span class="pun">):</span><span class="com">//www.host-name.com --enumerate tt</span>