![[police.jpg]](/2015/04/wordpress利用サイトのセキュリティ診断書を作成する/police.jpg "[police.jpg]")
1.5m離れた席に座っているギークにwpscanのご紹介を受けたので、試してみようと思います。
wpscanとは?
wpscan は、指定したサイトのwordpressのセキュリティ診断をし、診断書を作成してくれる超便利ツールです。
インストールしましょう。
wpscanをgetしてきます(ghq入れてるので今回はghqでソースを取ってくる)。
1
2
3
4
5
6
7
8
9
10# ghq get git@github.com:wpscanteam/wpscan.git
clone ssh://git@github.com/wpscanteam/wpscan.git -> /Users/hoge/src/github.com/wpscanteam/wpscan
git clone ssh://git@github.com/wpscanteam/wpscan.git /Users/hoge/src/github.com/wpscanteam/wpscan
Cloning into '/Users/hoge/src/github.com/wpscanteam/wpscan'...
remote: Counting objects: 14295, done.
remote: Total 14295 (delta 0), reused 0 (delta 0), pack-reused 14295
Receiving objects: 100% (14295/14295), 11.28 MiB | 1.80 MiB/s, done.
Resolving deltas: 100% (8415/8415), done.
Checking connectivity... done.
# cd /Users/hoge/src/github.com/wpscanteam/wpscan試そうとしたら、「rubyの2.2.1がインストールされてません」って出ました。
1
2# ruby wpscan.rb --url example.com
rbenv: version `2.2.1' is not installedソースの中にバージョンが指定されていたので、ruby-2.2.1をインストールします(rbenvでインストールしなおしました)。
1
2# more .ruby-version
2.2.1bundle installを実行1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31# cd /Users/hoge/src/github.com/wpscanteam/wpscan
# bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Using addressable 2.3.8
Installing safe_yaml 1.0.4
Installing crack 0.4.2
Installing diff-lcs 1.2.5
Installing docile 1.1.5
Using ffi 1.9.8
Using ethon 0.7.3
Installing json 1.8.2
Using mini_portile 0.6.2
Installing multi_json 1.11.0
Using nokogiri 1.6.6.2
Installing rspec-support 3.2.2
Installing rspec-core 3.2.3
Installing rspec-expectations 3.2.1
Installing rspec-mocks 3.2.1
Installing rspec 3.2.0
Installing rspec-its 1.2.0
Installing ruby-progressbar 1.7.5
Installing simplecov-html 0.9.0
Installing simplecov 0.9.2
Installing terminal-table 1.4.5
Using typhoeus 0.7.1
Installing webmock 1.21.0
Using bundler 1.9.4
Bundle complete! 10 Gemfile dependencies, 24 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.実行してみましょう。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123# ./wpscan.rb --url example.com
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.7
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://example.com/
[+] Started: Wed Apr 15 20:25:24 2015
[+] robots.txt available under: 'http://example.com/robots.txt'
[+] Interesting entry from robots.txt: http://example.com/cgi-bin
[+] Interesting entry from robots.txt: http://example.com/wp-admin
[+] Interesting entry from robots.txt: http://example.com/wp-includes
[+] Interesting entry from robots.txt: http://example.com/wp-content/plugins
[+] Interesting entry from robots.txt: http://example.com/plugins
[+] Interesting entry from robots.txt: http://example.com/wp-content/cache
[+] Interesting entry from robots.txt: http://example.com/wp-content/themes
[+] Interesting entry from robots.txt: http://example.com/trackback
[+] Interesting entry from robots.txt: http://example.com/feed
[+] Interesting entry from robots.txt: http://example.com/comments
[+] Interesting entry from robots.txt: http://example.com/category/*/*
[+] Interesting entry from robots.txt: */trackback
[+] Interesting entry from robots.txt: */feed
[+] Interesting entry from robots.txt: */comments
[+] Interesting entry from robots.txt: /*?*
[+] Interesting entry from robots.txt: /*?
[+] Interesting entry from robots.txt: http://example.com/wp-content/uploads
[+] Interesting entry from robots.txt: http://example.com/assets
[!] The WordPress 'http://example.com/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in: 'http://example.com/wp-includes/rss-functions.php'
[+] Interesting header: LINK: <http://wp.me/P4CGK6-x4>; rel=shortlink
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://example.com/xmlrpc.php
[+] WordPress version 4.1.1 identified from stylesheets numbers
[+] WordPress theme in use: nexus - v1.2.1
[+] Name: nexus - v1.2.1
| Location: http://example.com/wp-content/themes/nexus/
| Style URL: http://example.com/wp-content/themes/nexus/style.css
| Referenced style.css: http://example.com/wp-content/themes/nexus//style.css
| Theme Name: Nexus
| Theme URI: http://projectgen.com/next
| Description: Responsive Business / Portfolio theme
| Author: Adaptive Themes
| Author URI: http://themeforest.net/user/adaptivethemes
[+] Enumerating plugins from passive detection ...
| 8 plugins found:
[+] Name: author-avatars - v1.8.4.1
| Location: http://example.com/wp-content/plugins/author-avatars/
| Readme: http://example.com/wp-content/plugins/author-avatars/readme.txt
[+] Name: bbpress - v2.5.4
| Location: http://example.com/wp-content/plugins/bbpress/
| Readme: http://example.com/wp-content/plugins/bbpress/readme.txt
[!] Title: BBPress - Multiple Script Malformed Input Path Disclosure
Reference: https://wpvulndb.com/vulnerabilities/6149
Reference: http://xforce.iss.net/xforce/xfdb/78244
Reference: http://packetstormsecurity.com/files/116123/
Reference: http://osvdb.org/86399
Reference: http://www.exploit-db.com/exploits/22396/
[!] Title: BBPress - forum.php page Parameter SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/6150
Reference: http://xforce.iss.net/xforce/xfdb/78244
Reference: http://packetstormsecurity.com/files/116123/
Reference: http://osvdb.org/86400
Reference: http://www.exploit-db.com/exploits/22396/
[+] Name: contact-form-7 - v3.9.1
| Location: http://example.com/wp-content/plugins/contact-form-7/
| Readme: http://example.com/wp-content/plugins/contact-form-7/readme.txt
[+] Name: jetpack - v3.1
| Location: http://example.com/wp-content/plugins/jetpack/
| Readme: http://example.com/wp-content/plugins/jetpack/readme.txt
[+] Name: revslider
| Location: http://example.com/wp-content/plugins/revslider/
[+] We could not determine a version so all vulnerabilities are printed out
[!] Title: WordPress Slider Revolution Vulnerability
Reference: https://wpvulndb.com/vulnerabilities/7540
Reference: http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
Reference: http://marketblog.envato.com/general/affected-themes/
Reference: http://packetstormsecurity.com/files/129761/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1579
Reference: http://osvdb.org/109645
Reference: http://www.exploit-db.com/exploits/34511/
Reference: http://www.exploit-db.com/exploits/35385/
Reference: http://www.exploit-db.com/exploits/36039/
[i] Fixed in: 4.1.5
[+] Name: user-access-manager - v1.2.5.0
| Location: http://example.com/wp-content/plugins/user-access-manager/
| Readme: http://example.com/wp-content/plugins/user-access-manager/readme.txt
[+] Name: whats-new-genarator - v1.10.0
| Location: http://example.com/wp-content/plugins/whats-new-genarator/
| Readme: http://example.com/wp-content/plugins/whats-new-genarator/readme.txt
[+] Name: wp-members - v2.9.5
| Location: http://example.com/wp-content/plugins/wp-members/
| Readme: http://example.com/wp-content/plugins/wp-members/readme.txt
[+] Finished: Wed Apr 15 20:26:01 2015
[+] Requests Done: 146
[+] Memory used: 30.051 MB
[+] Elapsed time: 00:00:36
うまくいきました。 Wordpress Slider Revolution の脆弱性他、複数の脆弱性を検知しました。しかも各々の脆弱性についてリファレンスのリンク付きという手厚い報告書でした。
他にもオプションが多数あるみたいですが、それはまた次の機会にでも。