apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan/
b.基本使用gem install bundler && bundle install --without test
ruby wpscan.rb --url www.tanjiti.com --enumerate以下是探测结果样本
[+] URL: http://www.tanjiti.com
[+] Started: Tue Oct 28 15:46:30 2014
[!] The WordPress 'http://www.tanjiti.com/readme.html' file exists
[+] XML-RPC Interface available under: http://www.tanjiti.com/xmlrpc.php
[!] Upload directory has directory listing enabled: http://www.tanjiti.com/wp-content/uploads/
[+] WordPress version 4.0 identified from meta generator
[+] WordPress theme in use: twentyfourteen - v1.2
[+] Name: twentyfourteen - v1.2
| Location: http://www.tanjiti.com/wp-content/themes/twentyfourteen/
| Style URL: http://www.tanjiti.com/wp-content/themes/twentyfourteen/style.css
| Referenced style.css: http://www.tanjiti.com/wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://wordpress.org/
[+] Enumerating installed plugins (only vulnerable ones) ...
Time: 00:00:37 <==============================================> (880 / 880) 100.00% Time: 00:00:37
[+] No plugins found
[+] Enumerating installed themes (only vulnerable ones) ...
Time: 00:00:16 <==============================================> (308 / 308) 100.00% Time: 00:00:16
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:01:48 <============================================> (2539 / 2539) 100.00% Time: 00:01:48
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+---------+
| Id | Login | Name |
+----+---------+---------+
| 1 | tanjiti | tanjiti |
+----+---------+---------+
[+] Finished: Tue Oct 28 15:49:34 2014
ruby wpscan.rb --url www.tanjiti.com --debug-output --random-agent >debug.log
以前段时间有名的XMLRPC DoS为例(漏洞说明见[科普]什么是 billion laughs-WordPress与Drupal的DoS攻击有感)msf > search wordpress
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/wp_custom_contact_forms 2014-08-07 normal WordPress custom-contact-forms Plugin SQL Upload
auxiliary/dos/http/wordpress_xmlrpc_dos 2014-08-06 normal Wordpress XMLRPC DoS
(再次强调,重点不是msf,了解攻击才能给出相应防御措施)msf > use auxiliary/dos/http/wordpress_xmlrpc_dos
msf auxiliary(wordpress_xmlrpc_dos) > show options
Module options (auxiliary/dos/http/wordpress_xmlrpc_dos):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RLIMIT 1000 yes Number of requests to send
RPORT 80 yes The target port
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
msf auxiliary(wordpress_xmlrpc_dos) > set RHOST www.tanjiti.com
RHOST => xxx
msf auxiliary(wordpress_xmlrpc_dos) > set TARGETURI /
TARGETURI => /wordpress/wordpress/
msf auxiliary(wordpress_xmlrpc_dos) > run
安装及规则编写的基础知识见[科普文]ubuntu上安装Apache2+ModSecurity及自定义WAF规则
vim /usr/share/modsecurity-crs/activated_rules/MY.conf
(1) 添加防御xmlrpc漏洞的规则
SecRule REQUEST_URI "@endsWith /xmlrpc.php" "deny,tag:'WEB_ATTACK/WORDPRESS',msg:'block wordpress xmlrpc.php',id:0000003,phase:2"
service apache2 restart
msf auxiliary(wordpress_xmlrpc_dos) > use auxiliary/scanner/http/wordpress_pingback_access
msf auxiliary(wordpress_pingback_access) > show options
Module options (auxiliary/scanner/http/wordpress_pingback_access):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
TARGETURI / yes The path to wordpress installation (e.g. /wordpress/)
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(wordpress_pingback_access) > set RHOSTS www.tanjiti.com
RHOSTS => xxx
msf auxiliary(wordpress_pingback_access) > set TARGETURI /
TARGETURI => /wordpress/wordpress/
msf auxiliary(wordpress_pingback_access) > run
Message: Warning. String match "/xmlrpc.php" at REQUEST_URI. [file "/usr/share/modsecurity-crs/activa
ted_rules/MY.conf"] [line "4"] [id "0000003"] [msg "block wordpress xmlrpc.php"] [tag "WEB_ATTACK/WOR
DPRESS"]
再次运行wpscan,可以看到拦截日志如下SecRule REQUEST_HEADERS:User-Agent "@contains wpscan" "t:lowercase,deny,tag:'WEB_ATTACK/WORDPRESS',ms
g:'block wpscanner default useragent',id:0000004,phase:1"
essage: Warning. String match "wpscan" at REQUEST_HEADERS:User-Agent. [file "/usr/share/modsecurity-
crs/activated_rules/MY.conf"] [line "6"] [id "0000004"] [msg "block wpscanner default useragent"] [ta
g "WEB_ATTACK/WORDPRESS"]
vim /etc/apache2/apache2.conf
<FilesMatch "\.(sw[po]|old|save|bak|orig(?:inal)?|php(?:~|_bak|\x23))$">
Require all denied
</FilesMatch>
五、wordpress防护——启用安全头service apache2 restart
vim /etc/apache2/conf-available/security.conf
(1) 防止在IE9、chrome和safari中的MIME类型混淆攻击
Header set X-Content-Type-Options: "nosniff"
(2) 防止clickjacking,只允许遵守同源策略的资源(和站点同源)通过frame加载那些受保护的资源。
Header set X-Frame-Options: "sameorigin"
(3) 开启xss防护并通知浏览器阻止而不是过滤用户注入的脚本。
Header set X-XSS-Protection "1;mode=block"
六、wordpress防护——登陆口防爆破service apache2 restart
