最近看了infosec 出品的《Protecting WordPress Installations in an IaaS Environment》，決定給裸奔的wordpress做做安全加固。

wordpress是國人搭建個人博客的首選，其地位等同于論壇搭建首選discuz(話說，discuz才報出全局變量繞過導致的命令執行大洞，唉，開源的APP都是不產蜜而產getshell的蜂巢)

wordpress以豐富的插件(插件漏洞)聞名，因此攻擊者一般會對wordpress來個指紋識別(除去找暴力破解/社工后臺登陸口的快捷方法)。

一、wpscan – Wordpress指紋識別及漏洞檢查工具

該網站被喪心病狂的GFW封掉了，翻墻吧psiphon搔年，或者使用滲透套裝kali(重點不是wpscan，了解攻擊才能給出相應防御措施)

a.安裝

以ubuntu安裝為例

apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan/
gem install bundler && bundle install --without test

b.基本使用

枚舉站點信息：用戶名、插件、樣式等信息

ruby wpscan.rb --url www.tanjiti.com --enumerate

以下是探測結果樣本

[+] URL: http://www.tanjiti.com
[+] Started: Tue Oct 28 15:46:30 2014
[!] The WordPress 'http://www.tanjiti.com/readme.html' file exists
[+] XML-RPC Interface available under: http://www.tanjiti.com/xmlrpc.php
[!] Upload directory has directory listing enabled: http://www.tanjiti.com/wp-content/uploads/
[+] WordPress version 4.0 identified from meta generator
[+] WordPress theme in use: twentyfourteen - v1.2
[+] Name: twentyfourteen - v1.2
 |  Location: http://www.tanjiti.com/wp-content/themes/twentyfourteen/
 |  Style URL: http://www.tanjiti.com/wp-content/themes/twentyfourteen/style.css
 |  Referenced style.css: http://www.tanjiti.com/wp-content/themes/twentyfourteen/style.css
 |  Theme Name: Twenty Fourteen
 |  Theme URI: http://wordpress.org/themes/twentyfourteen
 |  Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
 |  Author: the WordPress team
 |  Author URI: http://wordpress.org/
[+] Enumerating installed plugins (only vulnerable ones) ...
   Time: 00:00:37 <==============================================> (880 / 880) 100.00% Time: 00:00:37
[+] No plugins found
[+] Enumerating installed themes (only vulnerable ones) ...
   Time: 00:00:16 <==============================================> (308 / 308) 100.00% Time: 00:00:16
[+] No themes found
[+] Enumerating timthumb files ...
   Time: 00:01:48 <============================================> (2539 / 2539) 100.00% Time: 00:01:48
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+---------+---------+
    | Id | Login   | Name    |
    +----+---------+---------+
    | 1  | tanjiti | tanjiti |
    +----+---------+---------+
[+] Finished: Tue Oct 28 15:49:34 2014

察看詳細的探測信息

ruby wpscan.rb --url www.tanjiti.com --debug-output --random-agent >debug.log

(注意：wpscan 默認User-Agent為WPScan v2.5.1 (http://wpscan.org)，掃描器使用常識之一使用正常變化的ua，避免觸發WAF之類的防御部署)

基本察看LOG，我們就可以知道wpscan是如何收集信息

例如檢查響應頭X-Pingback: http://www.tanjiti.com/xmlrpc.php 頭 (xmlrpc漏洞)

檢查xmlrpc.php (xmlrpc漏洞)

檢查robots.txt文件 (敏感信息泄露)

檢查readme.html文件(敏感信息泄露)

檢查/wp-content/debug.log(敏感信息泄露)

檢查配置文件(能夠明文讀取配置文件基本就是掛掉了)，wp-config.php.swo，%23wp-config.php%23，wp-config.orig，wp-config.php_bak，wp-config.original，wp-config.php.orig，wp-config.php.old，.wp-config.php.swp，wp-config.php.save，wp-config.bak，wp-config.txt，wp-config.php~ ，wp-config.save ，wp-config.old，wp-config.php.swp (敏感信息泄露)

識別指紋后，一般會去漏洞信息庫中查找可以利用的漏洞，例如MSF

#p#

二、MSF-wordpress漏洞利用(已方使用就是漏洞掃描)

msf > search wordpress

Matching Modules
================

  Name                                                      Disclosure Date  Rank       Description
  ----                                                      ---------------  ----       -----------
  auxiliary/admin/http/wp_custom_contact_forms              2014-08-07       normal     WordPress custom-contact-forms Plugin SQL Upload
  auxiliary/dos/http/wordpress_xmlrpc_dos                   2014-08-06       normal     WordPress XMLRPC DoS

以前段時間有名的XMLRPC DoS為例(漏洞說明見 《[科普]什么是 billion laughs-WordPress與Drupal的DoS攻擊有感》)

msf > use auxiliary/dos/http/wordpress_xmlrpc_dos    
msf auxiliary(wordpress_xmlrpc_dos) > show options

Module options (auxiliary/dos/http/wordpress_xmlrpc_dos):

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        Use a proxy chain
  RHOST                       yes       The target address
  RLIMIT     1000             yes       Number of requests to send
  RPORT      80               yes       The target port
  TARGETURI  /                yes       The base path to the wordpress application
  VHOST                       no        HTTP server virtual host

msf auxiliary(wordpress_xmlrpc_dos) > set RHOST www.tanjiti.com
RHOST => ｘｘｘ
msf auxiliary(wordpress_xmlrpc_dos) > set TARGETURI /
TARGETURI => /wordpress/wordpress/
msf auxiliary(wordpress_xmlrpc_dos) > run

(再次強調，重點不是Metasploit，了解攻擊才能給出相應防御措施)#p#

三、wordpress防護——使用ModSecurity進行防護

安裝及規則編寫的基礎知識見《[科普文]ubuntu上安裝Apache2+ModSecurity及自定義WAF規則》

vim /usr/share/modsecurity-crs/activated_rules/MY.conf

(1) 添加防御xmlrpc漏洞的規則

SecRule REQUEST_URI "@endsWith /xmlrpc.php" "deny,tag:'WEB_ATTACK/WORDPRESS',msg:'block wordpress xmlrpc.php',id:0000003,phase:2"
service apache2 restart

使用MSF發送攻擊包

msf auxiliary(wordpress_xmlrpc_dos) > use auxiliary/scanner/http/wordpress_pingback_access 
msf auxiliary(wordpress_pingback_access) > show options

Module options (auxiliary/scanner/http/wordpress_pingback_access):

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        Use a proxy chain
  RHOSTS                      yes       The target address range or CIDR identifier
  RPORT      80               yes       The target port
  TARGETURI  /                yes       The path to wordpress installation (e.g. /wordpress/)
  THREADS    1                yes       The number of concurrent threads
  VHOST                       no        HTTP server virtual host

msf auxiliary(wordpress_pingback_access) > set RHOSTS www.tanjiti.com
RHOSTS => ｘｘｘ
msf auxiliary(wordpress_pingback_access) > set TARGETURI /
TARGETURI => /wordpress/wordpress/
msf auxiliary(wordpress_pingback_access) > run

可以看到攔截日志如下

Message: Warning. String match "/xmlrpc.php" at REQUEST_URI. [file "/usr/share/modsecurity-crs/activated_rules/MY.conf"] [line "4"] [id "0000003"] [msg "block wordpress xmlrpc.php"] [tag "WEB_ATTACK/WORDPRESS"]

(2) 添加防御wpscan默認掃描頭的規則

SecRule REQUEST_HEADERS:User-Agent "@contains wpscan" "t:lowercase,deny,tag:'WEB_ATTACK/WORDPRESS',msg:'block wpscanner default useragent',id:0000004,phase:1"

再次運行wpscan，可以看到攔截日志如下

essage: Warning. String match "wpscan" at REQUEST_HEADERS:User-Agent. [file "/usr/share/modsecurity-crs/activated_rules/MY.conf"] [line "6"] [id "0000004"] [msg "block wpscanner default useragent"] [tag "WEB_ATTACK/WORDPRESS"]

大伙可以針對性地添加規則，對個人網站而已，添加白規則較之黑規則會事半功倍，這里的示例規則僅僅是拋磚引玉。#p#

四、wordpress防護——屏蔽敏感信息訪問

vim /etc/apache2/apache2.conf
<FilesMatch "\.(sw[po]|old|save|bak|orig(?:inal)?|php(?:~|_bak|\x23))$">
        Require all denied
</FilesMatch>
service apache2 restart

五、wordpress防護——啟用安全頭

vim /etc/apache2/conf-available/security.conf

(1) 防止在IE9、chrome和safari中的MIME類型混淆攻擊

Header set X-Content-Type-Options: "nosniff"

(2) 防止clickjacking，只允許遵守同源策略的資源(和站點同源)通過frame加載那些受保護的資源。

Header set X-Frame-Options: "sameorigin"

(3) 開啟xss防護并通知瀏覽器阻止而不是過濾用戶注入的腳本。

Header set X-XSS-Protection "1;mode=block"

service apache2 restart

六、wordpress防護——登陸口防爆破

一般的方法是設置一個登陸口白名單，但現在越來越多的網站使用CDN服務，明顯不再是個好的防護方案

安裝Login LockDown 插件,wordpress后臺插件管理處搜索即可，設置也超級簡單

設置實例：

如果在5分鐘失敗3次就會封鎖IP60分鐘