wordpress 3.6.1 анализ уязвимостей. Помогите подобрать подход.

Discussion in 'Веб-уязвимости' started by Lenok, 5 Dec 2013.

  1. Lenok

    Lenok New Member

    Joined:
    24 Jun 2005
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Здравствуйте, уважаемые хакеры, программисты и просто любители, на сервере стоит wordpress 3.6.1
    Сканнирование программой wpscan показало, что имеются две уязвимости:

    1)
    | Name: adminimize v1.8.4
    | Location: http://www.site.ru/wp-content/plugins/adminimize/
    | Directory listing enabled: Yes
    | Readme: http://www.site.ru/wp-content/plugins/adminimize/readme.txt
    |
    | * Title: adminimize 1.7.21 - Cross-Site Scripting Vulnerabilities
    | * Reference: http://seclists.org/bugtraq/2011/Nov/135



    Wordpress adminimize.1.7.21 Plugin Cross-Site Scripting Vulnerabilities
    Download......: http://wordpress.org/extend/plugins/adminimize/
    Bug Found.....: IrIsT™
    Exploit.......: http://www.site.com/[path]/wp-content/plugins/adminimize/adminimize_page.php?page=[xss]


    2)
    | Name: wordpress-seo v1.4.19
    | Location: http://www.site.ru/wp-content/plugins/wordpress-seo/
    | Directory listing enabled: Yes
    | Readme: http://www.site.ru/wp-content/plugins/wordpress-seo/readme.txt
    | Changelog: http://www.site.ru/wp-content/plugins/wordpress-seo/changelog.txt
    |
    | * Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS
    | * Reference: http://packetstormsecurity.com/files/123028/
    | * Reference: http://osvdb.org/97885
    |
    | * Title: WordPress SEO 1.4.6 - Reset Settings Feature Access Restriction Bypass
    | * Reference: http://secunia.com/advisories/52949
    | * Reference: http://osvdb.org/92147



    Discussion:
    Yoast SEO Plugin v1.14.15 has a xss vulnerability due to lack of search
    sanitation.

    Exploit:
    This can be exploited with a browser and is usually executed inside the
    search parameter of the website.

    Proof of concept:
    http://5linx.com/?s="><script>alert(document.cookie);</script>


    Description: WordPress SEO by Yoast Plugin for WordPress contains a flaw that is due to the program failing to properly restrict access to users. This may allow a remote attacker to bypass restrictions placed on the 'reset settings' feature.

    Classification:
    Location: Remote / Network Access
    Attack Type: Input Manipulation
    Impact: Loss of Integrity
    Solution: Solution Unknown
    Exploit: Exploit Private
    Disclosure: Vendor Verified, Third-party Verified
    OSVDB: Web Related


    Подскажите, опасны ли они?


    Ещё немного информации от nmap, по открытым портам (17):

    21 - tcp - open - ftp - Pure-FTPd
    22 - tcp - open - ssh - OpenSSH 5.3 (protocol 2.0)
    25 - tcp - open - smtp - Exim smtpd 4.80.1
    53 - tcp - open - domain
    80 - tcp - open - http - nginx 1.4.2
    110 - tcp - open - pop3 - Dovecot pop3d
    111 - tcp - open - rpcbind - 2-4 (RPC#100000)
    135 - tcp - filtered - msrpc
    139 - tcp - filtered - netbios-ssn

    143 - tcp - open - imap - Dovecot imapd
    179 - tcp - filtered - bgp
    443 - tcp - open - http - nginx 1.4.2
    445 - tcp - filtered - microsoft-ds
    465 - tcp - open - smtp - Exim smtpd 4.80.1
    587 - tcp - open - smtp - Exim smtpd 4.80.1
    993 - tcp - open - imap - Dovecot imapd
    995 - tcp - open - pop3 - Dovecot pop3d
    1720 - tcp - filtered - H.323/Q.931
    3306 - tcp - open - mysql - MySQL 5.1.71-rel14.9
    5666 - tcp - open - tcpwrapped
    8080 - tcp - open - http - Apache httpd 2.2.25
    8081 - tcp - open - http - Apache httpd 2.2.25
     
  2. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,675
    Likes Received:
    1,028
    Reputations:
    1,228
    _________________________
  3. Lenok

    Lenok New Member

    Joined:
    24 Jun 2005
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0

    Здравствуйте! Соседей вроде бы как нет.
    Вот развёрнутый анализ wpscan:


    | Started:

    [+] robots.txt available under: 'http://site.ru/robots.txt'
    [!] The WordPress 'http://site.ru/readme.html' file exists
    [!] Full Path Disclosure (FPD) in: 'http://site.ru/wp-includes/rss-functions.php'
    [+] Interesting header: SERVER: nginx/1.4.2
    [+] Interesting header: WP-SUPER-CACHE: Served supercache file from PHP
    [+] Interesting header: X-POWERED-BY: PHP/5.3.13
    [+] XML-RPC Interface available under: http://site.ru/xmlrpc.php
    [+] WordPress version 3.6.1 identified from meta generator

    [+] WordPress theme in use: responsive v1.9.3.8

    | Name: responsive v1.9.3.8
    | Location: http://site.ru/wp-content/themes/responsive/
    | Readme: http://site.ru/wp-content/themes/responsive/readme.txt
    | Changelog: http://site.ru/wp-content/themes/responsive/changelog.txt

    [+] Enumerating installed plugins ...

    Time: 00:01:58 <=======================> (2615 / 2615) 100.00% Time: 00:01:58

    [+] We found 22 plugins:

    | Name: adminimize v1.8.4
    | Location: http://site.ru/wp-content/plugins/adminimize/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/adminimize/readme.txt
    |
    | * Title: adminimize 1.7.21 - Cross-Site Scripting Vulnerabilities
    | * Reference: http://seclists.org/bugtraq/2011/Nov/135

    | Name: contact-form-7 v3.5.4
    | Location: http://site.ru/wp-content/plugins/contact-form-7/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/contact-form-7/readme.txt

    | Name: createit-jquery-3level-accordion-menu
    | Location: http://site.ru/wp-content/plugins/createit-jquery-3level-accordion-menu/

    | Name: display-posts-shortcode v2.3
    | Location: http://site.ru/wp-content/plugins/display-posts-shortcode/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/display-posts-shortcode/readme.txt

    | Name: easy-fancybox v1.5.5
    | Location: http://site.ru/wp-content/plugins/easy-fancybox/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/easy-fancybox/readme.txt

    | Name: fotorama v4.4.6
    | Location: http://site.ru/wp-content/plugins/fotorama/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/fotorama/readme.txt

    | Name: mp6
    | Location: http://site.ru/wp-content/plugins/mp6/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/mp6/readme.txt

    | Name: responsive-add-ons v1.0.4
    | Location: http://site.ru/wp-content/plugins/responsive-add-ons/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/responsive-add-ons/readme.txt

    | Name: revslider
    | Location: http://site.ru/wp-content/plugins/revslider/
    | Directory listing enabled: Yes

    | Name: rustolat v0.3
    | Location: http://site.ru/wp-content/plugins/rustolat/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/rustolat/readme.txt

    | Name: simple-scroll-to-top v2.4.0
    | Location: http://site.ru/wp-content/plugins/simple-scroll-to-top/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/simple-scroll-to-top/readme.txt

    | Name: sitemap v4.2
    | Location: http://site.ru/wp-content/plugins/sitemap/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/sitemap/readme.txt

    | Name: sitemap-generator-wp v1.08
    | Location: http://site.ru/wp-content/plugins/sitemap-generator-wp/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/sitemap-generator-wp/readme.txt

    | Name: smooth-page-scroll-to-top v0.3
    | Location: http://site.ru/wp-content/plugins/smooth-page-scroll-to-top/
    | Readme: http://site.ru/wp-content/plugins/smooth-page-scroll-to-top/readme.txt

    | Name: smooth-scroll-up
    | Location: http://site.ru/wp-content/plugins/smooth-scroll-up/
    | Directory listing enabled: Yes

    | Name: themefuse-maintenance-mode v1.1.3
    | Location: http://site.ru/wp-content/plugins/themefuse-maintenance-mode/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/themefuse-maintenance-mode/readme.txt

    | Name: touchcarousel
    | Location: http://site.ru/wp-content/plugins/touchcarousel/
    | Directory listing enabled: Yes

    | Name: vslider v4.1.2
    | Location: http://site.ru/wp-content/plugins/vslider/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/vslider/readme.txt

    | Name: widget-logic v0.56
    | Location: http://site.ru/wp-content/plugins/widget-logic/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/widget-logic/readme.txt

    | Name: wordpress-importer v0.6
    | Location: http://site.ru/wp-content/plugins/wordpress-importer/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/wordpress-importer/readme.txt

    | Name: wordpress-seo v1.4.19
    | Location: http://site.ru/wp-content/plugins/wordpress-seo/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/wordpress-seo/readme.txt
    | Changelog: http://site.ru/wp-content/plugins/wordpress-seo/changelog.txt
    |
    | * Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS
    | * Reference: http://packetstormsecurity.com/files/123028/
    | * Reference: http://osvdb.org/97885
    |
    | * Title: WordPress SEO 1.4.6 - Reset Settings Feature Access Restriction Bypass
    | * Reference: http://secunia.com/advisories/52949
    | * Reference: http://osvdb.org/92147

    | Name: wp-super-cache v1.4
    | Location: http://site.ru/wp-content/plugins/wp-super-cache/
    | Directory listing enabled: Yes
    | Readme: http://site.ru/wp-content/plugins/wp-super-cache/readme.txt

    [+] Finished

    ---------------------------------------------------


    [+] Enumerating installed themes ...

    Time: 00:00:26 <=========================> (491 / 491) 100.00% Time: 00:00:26

    [+] We found 1 themes:

    | Name: responsive v1.9.3.8
    | Location: http://site.ru/wp-content/themes/responsive/
    | Readme: http://site.ru/wp-content/themes/responsive/readme.txt
    | Changelog: http://site.ru/wp-content/themes/responsive/changelog.txt

    [+] Finished

    ---------------------------------------------------


    [+] Enumerating usernames ...
    [+] We found the following 1 user/s:
    +----+-------+------------------+
    | Id | Login | Name |
    +----+-------+------------------+
    | 1 | admin | admin, Author at |
    +----+-------+------------------+

    [+] Finished

    ---------------------------------------------------


    [+] Enumerating timthumb files ...

    Time: 00:01:58 <=======================> (2430 / 2430) 100.00% Time: 00:01:58

    [+] We found 1 timthumb file/s:

    | [!] http://site.ru/wp-content/plugins/vslider/timthumb.php v2.8.10

    * Reference: http://www.exploit-db.com/exploits/17602/

    [+] Finished

    ---------------------------------------------------


    Брутфорс пароля результата не дал, было проверено около 500000 вариантов.
     
  4. Lenok

    Lenok New Member

    Joined:
    24 Jun 2005
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Ребят а кто может провести аудит-безопасности моего сайта за вознаграждение?
    Если получится, то добраться до фтп и объяснить потом что нужно сделать, чтобы залатать найденную уязвимость.

    Или подскажите куда можно обратиться с такой просьбой.
     
  5. madhatter

    madhatter Member

    Joined:
    7 Aug 2013
    Messages:
    565
    Likes Received:
    50
    Reputations:
    54
    Для этого есть специальный раздел. И он точно не является этой темой :)

    Другой вопрос в том, подтвердители вы то, что сайт действительно ваш? :)
    Энивей, скиньте ссылку в лс.
     
Loading...