Man sieht eine gute Seite und will wissen, welches Theme genutzt wird oder welche Plugins installiert sind. Für den schnellen Blick helfen Seiten wie: WordPress Theme Search, WPThemeDoctor und WhatTheme.
Wenn man sorgfältig sein WordPress betreiben möchte oder seinen Dienstleister unterstützen will, hat man einen Schwachstellen-Scanner wie zum Bsp. WPScan installiert und im regelmäßigen Einsatz. Mit WPScan ist ein Scan nach Plugin und Theme effektiver, denn er zeigt Sicherheitsprobleme, die man mit den Plugin oder dem Theme haben könnte, gleich mit an.
Mit den o.g. Web-Tools läßt man sich das entsprechende Theme oder Plugin anzeigen, installiert es in seine Testumgebung und prüft dann mit WPScan.
WPScan
WPScan läuft da, wo Ruby läuft, weiterhin auf der Projektseite. Wer weitere Sicherheitstest macht, dem sei die Linux-Distribution Kali Linux[1]Kali Linux enthält Softwaretools, die zum Teil Sicherheitsvorkehrungen umgehen und die nach § 202c StGB, dem Ende Mai 2007 in Kraft getretenen sogenannten Hackerparagrafen, in Deutschland als … Continue reading empfohlen, hier ist WPScan bereits installiert.
Web-Seite scannen
ruby wpscan.rb --url http://test.jens-falk.de
Das sieht dann so aus:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://test.jens-falk.de/
[+] Started: Fri Sep 22 20:20:15 2017
[+] robots.txt available under: 'http://test.jens-falk.de/robots.txt'
[!] The WordPress 'http://test.jens-falk.de/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in 'http://test.jens-falk.de/wp-includes/rss-functions.php':
[+] Interesting header: LINK: <http://test.jens-falk.de/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.25
[+] Interesting header: X-CACHE: MISS from falkproxy
[+] Interesting header: X-CACHE-LOOKUP: HIT from falkproxy:800
[+] Interesting header: X-POWERED-BY: PHP/5.6.28
[+] XML-RPC Interface available under: http://test.jens-falk.de/xmlrpc.php
[+] WordPress version 4.8.2 (Released on 2017-09-19) identified from meta generator, links opml
[+] WordPress theme in use: advanced-twenty-seventeen-child - v1.0
[+] Name: advanced-twenty-seventeen-child - v1.0
| Location: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/
| Style URL: http://test.jens-falk.de/wp-content/themes/advanced-twenty-seventeen-child/style.css
| Theme Name: Advanced Twenty Seventeen Child
| Theme URI: http://saturnsolutions.com
| Description: Twenty Seventeen brings your site to life with immersive featured images and subtle animations. W...
| Author: SaturnSolutions
| Author URI: http://saturnsolutions.com/
[+] Detected parent theme: twentyseventeen - v1.3
[+] Name: twentyseventeen - v1.3
| Latest version: 1.3 (up to date)
| Last updated: 2017-06-08T00:00:00.000Z
| Location: http://test.jens-falk.de/wp-content/themes/twentyseventeen/
| Readme: http://test.jens-falk.de/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://test.jens-falk.de/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
| 1 plugin found:
[+] Name: advanced-twenty-seventeen - v1.3.1
| Latest version: 1.3.1 (up to date)
| Last updated: 2017-02-27T05:49:00.000Z
| Location: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/
| Readme: http://test.jens-falk.de/wp-content/plugins/advanced-twenty-seventeen/readme.txt
Benutzernamen suchen
Der Befehl lautet:
ruby wpscan.rb --url http://test.jens-falk.de --enumerate u
bzw. bei zahlreichen Benutzern
ruby wpscan.rb --url http://deinewebseite.de --enumerate u[10-20]
Das Ergebnis
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+--------+----------+
| Id | Login | Name |
+----+--------+----------+
| 1 | tester | Tester – |
+----+--------+----------+
Passwortsicherheit prüfen
Es macht durchaus Sinn nun zu prüfen, ob ein Angreifer sich anmelden könnte:
ruby wpscan.rb --url http://deineseite.de --wordlist passwoerter.txt
Das Ergebnis
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+--------+----------+
| Id | Login | Name |
+----+--------+----------+
| 1 | tester | Tester – |
+----+--------+----------+
[+] Starting the password brute forcer
Brute Forcing 'tester' Time: 00:00:00 <=====================================================================================> (1 / 1) 100.00% Time: 00:00:00
[+] [SUCCESS] Login : tester Password : geheim
+----+--------+----------+--------------------------+
| Id | Login | Name | Password |
+----+--------+----------+--------------------------+
| 1 | tester | Tester – | geheim |
+----+--------+----------+--------------------------+
Dateien mit Passwörtern sind zahlreich zu finden (Google “password list txt”). Viele Nutzer verwenden für Webseiten immer das gleiche Passwort. Ihnen ist nicht klar, daß mit einem Einbruch Passwörter ausgelesen und in Listen gespeichert werden.
Schwachstellen im Theme finden
ruby wpscan.rb --url http://deineseite.de --enumerate vt
Schwachstellen bei Plugins finden
ruby wpscan.rb --url http://deineseite.de --enumerate vp
Das Ergebnis
[+] URL: https://meine-verwundbaren-wp-plugins.de/
[+] Started: Fri Sep 22 20:29:41 2017
[+] robots.txt available under: 'https://meine-verwundbaren-wp-plugins.de/robots.txt'
[+] Interesting entry from robots.txt: Sitemap: http://meine-verwundbaren-wp-plugins.de/?feed=google_news_sitemap
[!] The WordPress 'https://meine-verwundbaren-wp-plugins.de/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] Interesting header: X-CACHE-ENGINE: WP-FFPC with memcached via PHP
[+] Interesting header: X-POWERED-BY: PHP/5.4.45-1~dotdeb+7.1
[+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins)
[+] XML-RPC Interface available under: https://meine-verwundbaren-wp-plugins.de/xmlrpc.php
[+] WordPress version 4.7 (Released on 2016-12-06) identified from readme
[!] 27 vulnerabilities identified from the version number
[!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
Reference: https://wpvulndb.com/vulnerabilities/8714
Reference: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Reference: https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491
Reference: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header
[i] Fixed in: 4.7.1
[!] Title: WordPress 4.7 - User Information Disclosure via REST API
Reference: https://wpvulndb.com/vulnerabilities/8715
Reference: https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/
Reference: https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5487
[i] Fixed in: 4.7.1
[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 4.7.1
[!] Title: WordPress <= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload
Reference: https://wpvulndb.com/vulnerabilities/8717
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5489
[i] Fixed in: 4.7.1
[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 4.7.1
[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.7.1
[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 4.7.1
[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 4.7.1
[!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Reference: https://wpvulndb.com/vulnerabilities/8729
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
[i] Fixed in: 4.7.2
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2
[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
Reference: https://wpvulndb.com/vulnerabilities/8731
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2
[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Reference: https://wpvulndb.com/vulnerabilities/8734
Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
Reference: https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
Reference: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
Reference: https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7
Reference: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_content_injection
[i] Fixed in: 4.7.2
[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 4.7.3
[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 4.7.3
[!] Title: WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
Reference: https://wpvulndb.com/vulnerabilities/8767
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6816
[i] Fixed in: 4.7.3
[!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Reference: https://wpvulndb.com/vulnerabilities/8768
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
[i] Fixed in: 4.7.3
[!] Title: WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
Reference: https://wpvulndb.com/vulnerabilities/8769
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6818
[i] Fixed in: 4.7.3
[!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
Reference: https://wpvulndb.com/vulnerabilities/8770
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
Reference: http://seclists.org/oss-sec/2017/q1/562
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
[i] Fixed in: 4.7.3
[!] Title: WordPress 2.3-4.7.5 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
Reference: https://wpvulndb.com/vulnerabilities/8816
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
[i] Fixed in: 4.7.5
[!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
Reference: https://wpvulndb.com/vulnerabilities/8817
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
Reference: https://wpvulndb.com/vulnerabilities/8818
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
[i] Fixed in: 4.7.5
[!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
Reference: https://wpvulndb.com/vulnerabilities/8819
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
Reference: https://hackerone.com/reports/203515
Reference: https://hackerone.com/reports/203515
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
[i] Fixed in: 4.7.5
[!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
Reference: https://wpvulndb.com/vulnerabilities/8820
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
[i] Fixed in: 4.8.2
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: https://wpvulndb.com/vulnerabilities/8906
Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.7.5
Diese Scripte werden ganz sicher auch von jenen genutzt, die sich Zugang zum Content Management System verschaffen möchten. Deshalb sollte WPScan regelmäßig die eigene WordPress-Installation prüfen.
Möchten Sie eine sicherere WordPress-Installation als die Standardinstallation und regelmäßige Überprüfung Ihres CMS, so schreiben Sie uns. Zum Kontaktformular.
Verweise
| ↑1 | Kali Linux enthält Softwaretools, die zum Teil Sicherheitsvorkehrungen umgehen und die nach § 202c StGB, dem Ende Mai 2007 in Kraft getretenen sogenannten Hackerparagrafen, in Deutschland als Computerprogramme zum Ausspähen von Daten aufgefasst werden. Aufgrund dieser Gesetzeslage kann bereits der Besitz oder Vertrieb strafbar sein, sofern die Absicht zu einer rechtswidrigen Nutzung nach § 202a StGB (Ausspähen von Daten) oder § 202b StGB (Abfangen von Daten) besteht. Zitat von Seite „Kali Linux“, Rechtliches. In: Wikipedia, Die freie Enzyklopädie. Bearbeitungsstand: 4. August 2017, 20:02 UTC. URL: https://de.wikipedia.org/w/index.php?title=Kali_Linux&oldid=167875818 (Abgerufen: 22. September 2017, 09:59 UTC) |
|---|
