如何为WordPress做安全防护?(1)

2014 年 12 月 26 日4200

最近看了infosec 出品的《Protecting WordPress Installations in an IaaS Environment》,决定给裸奔的wordpress做做安全加固。

wordpress是国人搭建个人博客的首选,其地位等同于论坛搭建首选discuz(话说,discuz才报出全局变量绕过导致的命令执行大洞,唉,开源的APP都是不产蜜而产getshell的蜂巢)

wordpress以丰富的插件(插件漏洞)闻名,因此攻击者一般会对wordpress来个指纹识别(除去找暴力破解/社工后台登陆口的快捷方法)。

一、wpscan – WordPress指纹识别及漏洞检查工具

该网站被丧心病狂的GFW封掉了,翻墙吧psiphon搔年,或者使用渗透套装kali(重点不是wpscan,了解攻击才能给出相应防御措施)

a.安装

以ubuntu安装为例





apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential



git clone https://github.com/wpscanteam/wpscan.git



cd wpscan/



gem install bundler && bundle install --without test

b.基本使用

枚举站点信息:用户名、插件、样式等信息





ruby wpscan.rb --url http://www.zjjv.com/ --enumerate

以下是探测结果样本

[+] URL: http://http://www.zjjv.com//
[+] Started: Tue Oct 28 15:46:30 2014

[!] The WordPress 'http://http://www.zjjv.com///readme.html' file exists
[+] XML-RPC Interface available under: http://http://www.zjjv.com///xmlrpc.php
[!] Upload directory has directory listing enabled: http://http://www.zjjv.com///wp-content/uploads/

[+] WordPress version 4.0 identified from meta generator

[+] WordPress theme in use: twentyfourteen - v1.2

[+] Name: twentyfourteen - v1.2
| Location: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/
| Style URL: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Referenced style.css: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://http://www.zjjv.com///themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://http://www.zjjv.com///

[+] Enumerating installed plugins (only vulnerable ones) ...

Time: 00:00:37 <==============================================> (880 / 880) 100.00% Time: 00:00:37

[+] No plugins found

[+] Enumerating installed themes (only vulnerable ones) ...

Time: 00:00:16 <==============================================> (308 / 308) 100.00% Time: 00:00:16

[+] No themes found

[+] Enumerating timthumb files ...

Time: 00:01:48 <============================================> (2539 / 2539) 100.00% Time: 00:01:48

[+] No timthumb files found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+---------+
| Id | Login | Name |
+----+---------+---------+
| 1 | tanjiti | tanjiti |
+----+---------+---------+

[+] Finished: Tue Oct 28 15:49:34 2014

察看详细的探测信息





ruby wpscan.rb --url http://www.zjjv.com/ --debug-output --random-agent >debug.log

(注意:wpscan 默认User-Agent为WPScan v2.5.1 (http://http://www.zjjv.com//),扫描器使用常识之一使用正常变化的ua,避免触发WAF之类的防御部署)

基本察看LOG,我们就可以知道wpscan是如何收集信息

例如检查响应头X-Pingback: http://http://www.zjjv.com///xmlrpc.php 头 (xmlrpc漏洞)

检查xmlrpc.php (xmlrpc漏洞)

检查robots.txt文件 (敏感信息泄露)

检查readme.html文件(敏感信息泄露)

检查/wp-content/debug.log(敏感信息泄露)

检查配置文件(能够明文读取配置文件基本就是挂掉了),wp-config.php.swo,%23wp-config.php%23,wp-config.orig,wp-config.php_bak,wp-config.original,wp-config.php.orig,wp-config.php.old,.wp-config.php.swp,wp-config.php.save,wp-config.bak,wp-config.txt,wp-config.php~ ,wp-config.save ,wp-config.old,wp-config.php.swp (敏感信息泄露)

识别指纹后,一般会去漏洞信息库中查找可以利用的漏洞,例如MSF

1

内容导航

第 1 页:Wordpress指纹识别及漏洞检查工具 第 2 页:MSF-wordpress漏洞利用 第 3 页:wordpress防护 第 4 页:屏蔽敏感信息访问


原文:如何为WordPress做安全防护?(1) 返回网络安全首页

0 0