Welches Theme ist das? WPScan
Man sieht eine gute Seite und will wissen, welches Theme genutzt wird oder welche Plugins installiert sind. Für den schnellen Blick helfen Seiten wie: WordPress Theme Search, WPThemeDoctor und WhatTheme.
Wenn man sorgfältig sein WordPress betreiben möchte oder seinen Dienstleister unterstützen will, hat man einen Schwachstellen-Scanner wie zum Bsp. WPScan installiert und im regelmäßigen Einsatz. Mit WPScan ist ein Scan nach Plugin und Theme effektiver, denn er zeigt Sicherheitsprobleme, die man mit den Plugin oder dem Theme haben könnte, gleich mit an.
Mit den o.g. Web-Tools läßt man sich das entsprechende Theme oder Plugin anzeigen, installiert es in seine Testumgebung und prüft dann mit WPScan.
WPScan
WPScan läuft da, wo Ruby läuft, weiterhin auf der Projektseite. Wer weitere Sicherheitstest macht, dem sei die Linux-Distribution Kali Linux1 empfohlen, hier ist WPScan bereits installiert.
Web-Seite scannen
ruby wpscan.rb --url http://test.jens-falk.de
Das sieht dann so aus:
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________[+] URL: http://test.jens-falk.de/[+] Started: Fri Sep 22 20:20:15 2017[+] robots.txt available under: 'http://test.jens-falk.de/robots.txt'[!] The WordPress 'http://test.jens-falk.de/readme.html' file exists exposing a version number[!] Full Path Disclosure (FPD) in 'http://test.jens-falk.de/wp-includes/rss-functions.php': [+] Interesting header: LINK: <http://test.jens-falk.de/wp-json/>; rel="https://api.w.org/"[+] Interesting header: SERVER: Apache/2.4.25[+] Interesting header: X-CACHE: MISS from falkproxy[+] Interesting header: X-CACHE-LOOKUP: HIT from falkproxy:800[+] Interesting header: X-POWERED-BY: PHP/5.6.28[+] XML-RPC Interface available under: http://test.jens-falk.de/xmlrpc.php[+] WordPress version 4.8.2 (Released on 2017-09-19) identified from meta generator, links opml[+] WordPress theme in use: advanced-twenty-seventeen-child - v1.0[+] Name: advanced-twenty-seventeen-child - v1.0 | Location: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/ | Style URL: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/style.css | Theme Name: Advanced Twenty Seventeen Child | Theme URI: http://saturnsolutions.com | Description: Twenty Seventeen brings your site to life with immersive featured images and subtle animations. W... | Author: SaturnSolutions | Author URI: http://saturnsolutions.com/[+] Detected parent theme: twentyseventeen - v1.3[+] Name: twentyseventeen - v1.3 | Latest version: 1.3 (up to date) | Last updated: 2017-06-08T00:00:00.000Z | Location: http://test.jens-falk.de/wp-content/themes/twentyseventeen/ | Readme: http://test.jens-falk.de/wp-content/themes/twentyseventeen/README.txt | Style URL: http://test.jens-falk.de/wp-content/themes/twentyseventeen/style.css | Theme Name: Twenty Seventeen | Theme URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a... | Author: the WordPress team | Author URI: https://wordpress.org/[+] Enumerating plugins from passive detection ... | 1 plugin found:[+] Name: advanced-twenty-seventeen - v1.3.1 | Latest version: 1.3.1 (up to date) | Last updated: 2017-02-27T05:49:00.000Z | Location: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/ | Readme: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/readme.txt
Benutzernamen suchen
Der Befehl lautet:
ruby wpscan.rb --url http://test.jens-falk.de --enumerate u
bzw. bei zahlreichen Benutzern
ruby wpscan.rb --url http://deinewebseite.de --enumerate u[10-20]
Das Ergebnis
[+] Enumerating usernames ...[+] Identified the following 1 user/s: +----+--------+----------+ | Id | Login | Name | +----+--------+----------+ | 1 | tester | Tester – | +----+--------+----------+
Passwortsicherheit prüfen
Es macht durchaus Sinn nun zu prüfen, ob ein Angreifer sich anmelden könnte:
ruby wpscan.rb --url http://deineseite.de --wordlist passwoerter.txt
Das Ergebnis
[+] Enumerating usernames ...[+] Identified the following 1 user/s: +----+--------+----------+ | Id | Login | Name | +----+--------+----------+ | 1 | tester | Tester – | +----+--------+----------+[+] Starting the password brute forcer Brute Forcing 'tester' Time: 00:00:00 <=====================================================================================> (1 / 1) 100.00% Time: 00:00:00 [+] [SUCCESS] Login : tester Password : geheim +----+--------+----------+--------------------------+ | Id | Login | Name | Password | +----+--------+----------+--------------------------+ | 1 | tester | Tester – | geheim | +----+--------+----------+--------------------------+
Dateien mit Passwörtern sind zahlreich zu finden (Google "password list txt"). Viele Nutzer verwenden für Webseiten immer das gleiche Passwort. Ihnen ist nicht klar, daß mit einem Einbruch Passwörter ausgelesen und in Listen gespeichert werden.
Schwachstellen im Theme finden
ruby wpscan.rb --url http://deineseite.de --enumerate vt
Schwachstellen bei Plugins finden
ruby wpscan.rb --url http://deineseite.de --enumerate vp
Das Ergebnis
[+] URL: https://meine-verwundbaren-wp-plugins.de/[+] Started: Fri Sep 22 20:29:41 2017[+] robots.txt available under: 'https://meine-verwundbaren-wp-plugins.de/robots.txt'[+] Interesting entry from robots.txt: Sitemap: http://meine-verwundbaren-wp-plugins.de/?feed=google_news_sitemap[!] The WordPress 'https://meine-verwundbaren-wp-plugins.de/readme.html' file exists exposing a version number[+] Interesting header: SERVER: nginx[+] Interesting header: X-CACHE-ENGINE: WP-FFPC with memcached via PHP[+] Interesting header: X-POWERED-BY: PHP/5.4.45-1~dotdeb+7.1[+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins)[+] XML-RPC Interface available under: https://meine-verwundbaren-wp-plugins.de/xmlrpc.php[+] WordPress version 4.7 (Released on 2016-12-06) identified from readme[!] 27 vulnerabilities identified from the version number[!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer Reference: https://wpvulndb.com/vulnerabilities/8714 Reference: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/ Reference: https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491 Reference: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header[i] Fixed in: 4.7.1[!] Title: WordPress 4.7 - User Information Disclosure via REST API Reference: https://wpvulndb.com/vulnerabilities/8715 Reference: https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/ Reference: https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5487[i] Fixed in: 4.7.1[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php Reference: https://wpvulndb.com/vulnerabilities/8716 Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488[i] Fixed in: 4.7.1[!] Title: WordPress <= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload Reference: https://wpvulndb.com/vulnerabilities/8717 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5489[i] Fixed in: 4.7.1[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback Reference: https://wpvulndb.com/vulnerabilities/8718 Reference: https://www.mehmetince.net/low-severity-wordpress/ Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490[i] Fixed in: 4.7.1[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default Reference: https://wpvulndb.com/vulnerabilities/8719 Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491 [i] Fixed in: 4.7.1 [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) Reference: https://wpvulndb.com/vulnerabilities/8720 Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492 [i] Fixed in: 4.7.1 [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) Reference: https://wpvulndb.com/vulnerabilities/8721 Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493 [i] Fixed in: 4.7.1 [!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users Reference: https://wpvulndb.com/vulnerabilities/8729 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610 [i] Fixed in: 4.7.2 [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8730 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611 [i] Fixed in: 4.7.2 [!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table Reference: https://wpvulndb.com/vulnerabilities/8731 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612 [i] Fixed in: 4.7.2 [!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API Reference: https://wpvulndb.com/vulnerabilities/8734 Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html Reference: https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html Reference: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab Reference: https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7 Reference: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection [i] Fixed in: 4.7.2 [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata Reference: https://wpvulndb.com/vulnerabilities/8765 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html Reference: http://seclists.org/oss-sec/2017/q1/563 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814 [i] Fixed in: 4.7.3 [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation Reference: https://wpvulndb.com/vulnerabilities/8766 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815 [i] Fixed in: 4.7.3 [!] Title: WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete Reference: https://wpvulndb.com/vulnerabilities/8767 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6816 [i] Fixed in: 4.7.3 [!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds Reference: https://wpvulndb.com/vulnerabilities/8768 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8 Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817 [i] Fixed in: 4.7.3 [!] Title: WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names Reference: https://wpvulndb.com/vulnerabilities/8769 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6818 [i] Fixed in: 4.7.3 [!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS Reference: https://wpvulndb.com/vulnerabilities/8770 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html Reference: http://seclists.org/oss-sec/2017/q1/562 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819 [i] Fixed in: 4.7.3 [!] Title: WordPress 2.3-4.7.5 - Host Header Injection in Password Reset Reference: https://wpvulndb.com/vulnerabilities/8807 Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation Reference: https://wpvulndb.com/vulnerabilities/8815 Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066 [i] Fixed in: 4.7.5 [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC Reference: https://wpvulndb.com/vulnerabilities/8816 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062 [i] Fixed in: 4.7.5 [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks Reference: https://wpvulndb.com/vulnerabilities/8817 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065 [i] Fixed in: 4.7.5 [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF Reference: https://wpvulndb.com/vulnerabilities/8818 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064 [i] Fixed in: 4.7.5 [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS Reference: https://wpvulndb.com/vulnerabilities/8819 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 Reference: https://hackerone.com/reports/203515 Reference: https://hackerone.com/reports/203515 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061 [i] Fixed in: 4.7.5 [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF Reference: https://wpvulndb.com/vulnerabilities/8820 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 [i] Fixed in: 4.7.5 [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8905 Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec[i] Fixed in: 4.8.2[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection Reference: https://wpvulndb.com/vulnerabilities/8906 Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 Reference: https://wpvulndb.com/vulnerabilities/8905[i] Fixed in: 4.7.5
Diese Scripte werden ganz sicher auch von jenen genutzt, die sich Zugang zum Content Management System verschaffen möchten. Deshalb sollte WPScan regelmäßig die eigene WordPress-Installation prüfen.
- Kali Linux enthält Softwaretools, die zum Teil Sicherheitsvorkehrungen umgehen und die nach § 202c StGB, dem Ende Mai 2007 in Kraft getretenen sogenannten Hackerparagrafen, in Deutschland als Computerprogramme zum Ausspähen von Daten aufgefasst werden. Aufgrund dieser Gesetzeslage kann bereits der Besitz oder Vertrieb strafbar sein, sofern die Absicht zu einer rechtswidrigen Nutzung nach § 202a StGB (Ausspähen von Daten) oder § 202b StGB (Abfangen von Daten) besteht. Zitat von Seite „Kali Linux“, Rechtliches. In: Wikipedia, Die freie Enzyklopädie. Bearbeitungsstand: 4. August 2017, 20:02 UTC. URL: https://de.wikipedia.org/w/index.php?title=Kali_Linux&oldid=167875818 (Abgerufen: 22. September 2017, 09:59 UTC)