如何为WordPress做安全防护?(1)
最近看了infosec 出品的《Protecting WordPress Installations in an IaaS Environment》,决定给裸奔的wordpress做做安全加固。
wordpress是国人搭建个人博客的首选,其地位等同于论坛搭建首选discuz(话说,discuz才报出全局变量绕过导致的命令执行大洞,唉,开源的APP都是不产蜜而产getshell的蜂巢)
wordpress以丰富的插件(插件漏洞)闻名,因此攻击者一般会对wordpress来个指纹识别(除去找暴力破解/社工后台登陆口的快捷方法)。
一、wpscan – WordPress指纹识别及漏洞检查工具
该网站被丧心病狂的GFW封掉了,翻墙吧psiphon搔年,或者使用渗透套装kali(重点不是wpscan,了解攻击才能给出相应防御措施)
a.安装
以ubuntu安装为例
apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan/
gem install bundler && bundle install --without test
b.基本使用
枚举站点信息:用户名、插件、样式等信息
ruby wpscan.rb --url http://www.zjjv.com/ --enumerate
以下是探测结果样本
[+] URL: http://http://www.zjjv.com//
[+] Started: Tue Oct 28 15:46:30 2014[!] The WordPress 'http://http://www.zjjv.com///readme.html' file exists
[+] XML-RPC Interface available under: http://http://www.zjjv.com///xmlrpc.php
[!] Upload directory has directory listing enabled: http://http://www.zjjv.com///wp-content/uploads/[+] WordPress version 4.0 identified from meta generator
[+] WordPress theme in use: twentyfourteen - v1.2
[+] Name: twentyfourteen - v1.2
| Location: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/
| Style URL: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Referenced style.css: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://http://www.zjjv.com///themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://http://www.zjjv.com///[+] Enumerating installed plugins (only vulnerable ones) ...
Time: 00:00:37 <==============================================> (880 / 880) 100.00% Time: 00:00:37
[+] No plugins found
[+] Enumerating installed themes (only vulnerable ones) ...
Time: 00:00:16 <==============================================> (308 / 308) 100.00% Time: 00:00:16
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:01:48 <============================================> (2539 / 2539) 100.00% Time: 00:01:48
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+---------+
| Id | Login | Name |
+----+---------+---------+
| 1 | tanjiti | tanjiti |
+----+---------+---------+[+] Finished: Tue Oct 28 15:49:34 2014
察看详细的探测信息
ruby wpscan.rb --url http://www.zjjv.com/ --debug-output --random-agent >debug.log
(注意:wpscan 默认User-Agent为WPScan v2.5.1 (http://http://www.zjjv.com//),扫描器使用常识之一使用正常变化的ua,避免触发WAF之类的防御部署)
基本察看LOG,我们就可以知道wpscan是如何收集信息
例如检查响应头X-Pingback: http://http://www.zjjv.com///xmlrpc.php 头 (xmlrpc漏洞)
检查xmlrpc.php (xmlrpc漏洞)
检查robots.txt文件 (敏感信息泄露)
检查readme.html文件(敏感信息泄露)
检查/wp-content/debug.log(敏感信息泄露)
检查配置文件(能够明文读取配置文件基本就是挂掉了),wp-config.php.swo,%23wp-config.php%23,wp-config.orig,wp-config.php_bak,wp-config.original,wp-config.php.orig,wp-config.php.old,.wp-config.php.swp,wp-config.php.save,wp-config.bak,wp-config.txt,wp-config.php~ ,wp-config.save ,wp-config.old,wp-config.php.swp (敏感信息泄露)
识别指纹后,一般会去漏洞信息库中查找可以利用的漏洞,例如MSF
1
内容导航
第 1 页:Wordpress指纹识别及漏洞检查工具 第 2 页:MSF-wordpress漏洞利用 第 3 页:wordpress防护 第 4 页:屏蔽敏感信息访问
原文:如何为WordPress做安全防护?(1) 返回网络安全首页