viernes, 12 de febrero de 2016

For loop - Script para llenar tablas en PostgreSql

Si tenemos la necesidad de llenar una base de datos PostgreSql por ejemplo para realizar pruebas de estrés, podemos utilizar una función que utilice un for loop como el que os dejo a continuación. Solo tendréis que modificar la parte de el número de repeticiones (1255255) y de los insert (person,direccion) en función del volumen de datos que necesitéis y las tablas que queráis llenar.

Ejemplo de script:

CREATE OR REPLACE FUNCTION cargar_bd()
RETURNS void AS
$BODY$BEGIN
for i in 1..1255255 loop
insert into person (nombre) values ('nombre');
insert into direccion (calle) values ('Avd. Lapsusmentis nº 3');
end loop;
END
$BODY$
LANGUAGE 'plpgsql';

Para ejecutarlo bastará con lanzarlo con la siguiente consulta y se repetirá 1255255 :

SELECT  cargar_bd();

lunes, 8 de febrero de 2016

Comandos importantes en WPScan

Actualización de las bases de datos

root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --update
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.


Escaneo genérico de vulnerabilidades

Con el siguiente comando podemos sacar un listado genérico de las vulnerabilidades que tiene el WordPress que estamos auditando. En cada apartado nos indican las url donde podemos consultar en que consisten estas vulnerabilidades, como solucionarlas y como explotarlas.
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXXXX.com
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://XXXXXXX/
[+] Started: Fri Jan 15 16:00:47 2016

[!] The WordPress 'http://XXXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXXXX/xmlrpc.php

[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number

[!] Title:  WordPress 3.9 & 3.9.1 Unlikely Code Execution
    Reference: https://wpvulndb.com/vulnerabilities/7527
    Reference: https://core.trac.wordpress.org/changeset/29389
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2

[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
    Reference: https://wpvulndb.com/vulnerabilities/7528
    Reference: https://core.trac.wordpress.org/changeset/29384
    Reference: https://core.trac.wordpress.org/changeset/29408
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
    Reference: https://wpvulndb.com/vulnerabilities/7529
    Reference: https://core.trac.wordpress.org/changeset/29398
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
    Reference: https://wpvulndb.com/vulnerabilities/7530
    Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
    Reference: http://getid3.sourceforge.net/
    Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
    Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
    Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
    Reference: https://wpvulndb.com/vulnerabilities/7531
    Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
    Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7680
    Reference: http://klikki.fi/adv/wordpress.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://klikki.fi/adv/wordpress_update.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
    Reference: http://osvdb.org/show/osvdb/114857
    Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: https://www.exploit-db.com/exploits/35413/
    Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7696
    Reference: http://www.securityfocus.com/bid/71234/
    Reference: https://core.trac.wordpress.org/changeset/30444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1

[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
    Reference: https://wpvulndb.com/vulnerabilities/7697
    Reference: https://core.trac.wordpress.org/changeset/30422
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7929
    Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
    Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10

[+] WordPress theme in use: XXXXX - v1.2.0

[+] Name: XXXXXX - v1.2.0
 |  Location: http://XXXXXXXXX/wp-content/themes/XXXXX/
 |  Readme: http://XXXXXXX/wp-content/themes/XXXX/readme.txt
 |  Style URL: http://XXXXXXXX/wp-content/themes/XXXXX/style.css
 |  Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXX/style.css
 |  Theme Name: XXXXXX
 |  Theme URI: http://XXXXXXXXXXX
 |  Description: XXXXX Clean, Responsive and Modern Theme for Personal Blogging
 |  Author: XXXXXX
 |  Author URI: http://XXXXXX.com

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Fri Jan 15 16:00:48 2016
[+] Requests Done: 36
[+] Memory used: 3.219 MB
[+] Elapsed time: 00:00:01




Escaneo en profundidad de vulnerabilidades

Con la opción --enumerate WPScan realizará un escaneo profundo de las vulnerabilidades de WordPress donde entre otros datos podremos obtener los usuarios dados de alta en él. El obtener estos usuarios nos permitirá por ejemplo realizar una auditoría de las contraseñas mediante un ataque por diccionario por esto con la información obtenida con --enumerate podremos tener información adicional para completar una auditoría de seguridad exhaustiva de WordPress.

root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXX --enumerate
_______________________________________________________________
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://XXXXXXXX/
[+] Started: Fri Jan 15 16:01:34 2016

[!] The WordPress 'http://XXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXX/xmlrpc.php

[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number

[!] Title:  WordPress 3.9 & 3.9.1 Unlikely Code Execution
    Reference: https://wpvulndb.com/vulnerabilities/7527
    Reference: https://core.trac.wordpress.org/changeset/29389
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2

[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
    Reference: https://wpvulndb.com/vulnerabilities/7528
    Reference: https://core.trac.wordpress.org/changeset/29384
    Reference: https://core.trac.wordpress.org/changeset/29408
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
    Reference: https://wpvulndb.com/vulnerabilities/7529
    Reference: https://core.trac.wordpress.org/changeset/29398
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
    Reference: https://wpvulndb.com/vulnerabilities/7530
    Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
    Reference: http://getid3.sourceforge.net/
    Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
    Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
    Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
    Reference: https://wpvulndb.com/vulnerabilities/7531
    Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
    Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7680
    Reference: http://klikki.fi/adv/wordpress.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: http://klikki.fi/adv/wordpress_update.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
    Reference: https://wpvulndb.com/vulnerabilities/7681
    Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
    Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
    Reference: http://osvdb.org/show/osvdb/114857
    Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
    Reference: https://www.exploit-db.com/exploits/35413/
    Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/7696
    Reference: http://www.securityfocus.com/bid/71234/
    Reference: https://core.trac.wordpress.org/changeset/30444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1

[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
    Reference: https://wpvulndb.com/vulnerabilities/7697
    Reference: https://core.trac.wordpress.org/changeset/30422
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7929
    Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
    Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10

[+] WordPress theme in use: XXXX - v1.2.0

[+] Name: XXXXX - v1.2.0
 |  Location: http://XXXXXX/wp-content/themes/XXXXXX/
 |  Readme: http://XXXXXX/wp-content/themes/XXXXXX/readme.txt
 |  Style URL: http://XXXXXX/wp-content/themes/XXXXXX/style.css
 |  Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXXX/style.css
 |  Theme Name: XXXXXX
 |  Theme URI: http://XXXXXX
 |  Description: XXXXXX Clean, Responsive and Modern Theme for Personal Blogging
 |  Author: XXXXXX
 |  Author URI: http://XXXXXX.com

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:00:02 <========================================================================================================================================================================> (1258 / 1258) 100.00% Time: 00:00:02

[+] We found 1 plugins:

[+] Name: akismet - v3.0.0
 |  Location: http://XXXXXX/wp-content/plugins/akismet/
 |  Readme: http://XXXXXX/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 3.1.7

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Enumerating installed themes (only ones with known vulnerabilities) ...

   Time: 00:00:00 <==========================================================================================================================================================================> (368 / 368) 100.00% Time: 00:00:00

[+] No themes found

[+] Enumerating timthumb files ...

   Time: 00:00:04 <========================================================================================================================================================================> (2539 / 2539) 100.00% Time: 00:00:04

[+] No timthumb files found

[+] Enumerating usernames ...
[+] Identified the following 3 user/s:
    +----+----------+----------+
    | Id | Login    | Name     |
    +----+----------+----------+
    | 1  | caXXX    | caXX    |
    | 2  | caXXXa | caXXXa |
    | 3  | admin    | admin    |
    +----+----------+----------+

[+] Finished: Fri Jan 15 16:01:49 2016
[+] Requests Done: 4218
[+] Memory used: 38.895 MB
[+] Elapsed time: 00:00:14 




Ataque de login por fuerza bruta en WordPress

Como hemos podido comprobar en los pasos anteriores nos enfrentamos a un WordPress sin ninguna restricción adicional de acceso en la parte de administración tales como chaptra o bloqueo con .htpasswd. Esto nos permite sin ninguna complicación ni paso adicional realizar una auditoría de usuario/password para ver su fortaleza pero ademas tenemos a nuestro favor que ya conocemos usuarios dados de alta en él gracias a la información desprendida por el comando anterior. Asumiendo que he generado un diccionario con Crunch tal y como explico en este post y que está en /home/rencinar/pass.txt para auditar la fortaleza del usuario admin el comando sería:
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXX --wordlist /home/rencinar/pass.txt --username admin

sábado, 6 de febrero de 2016

Inittab cambiando el runlevel en linux

El runlevel o nivel de ejecución determina los recursos de los que va a disponer el sistema operativo tras el arranque de una máquina linux/unix. Por ejemplo, si arrancamos en un nivel de ejecución sin entorno de X11 el sistema no podrá disponer de los recursos para la ejecución de gráficos 3D. Cabe decir además que, aunque los niveles de ejecución pueden variar en función de la distribución que estemos utilizando, en general las definiciones se mantienen en todos los linux y son:
  • 0 – halt: Es el nivel de ejecución de apagado.
  • 1 - Single user mode: Es el nivel de ejecución que usamos para acceder al sistema cuando hay problemas pues solo está disponible el usuario root y no levanta ningún demonio del sistema ni la red.
  • 2 - Multiuser, without NFS: Es el nivel de ejecución multiusuario sin red.
  • 3 - Full multiuser mode: Es el nivel de ejecución que se suele usar por defecto en servidores pues tiene cargados todos los recursos del sistema sin restarle recursos de interfaz gráfica dado que esta no estará disponible.
  • 4 – unused: Actualmente en desuso.
  • 5 – X11: Es el nivel de ejecución con todo el sistema funcional al 100% incluyendo la interfaz gráfica.
  • 6 – reboot: Es el nivel de ejecución de reinicio.
En el fichero /etc/inittab es donde le indicamos al sistema en que nivel de ejecución vamos a arrancar, y se realiza de la siguiente manera:
                                 id:<nivel de ejecución>:initdefault:

De esta manera un ejemplo del contenido del fichero /etc/inittab donde el nivel de ejecución fuese el 3 sería:

[root@metempsicosis ~]# cat /etc/inittab
id:3:initdefault:

Cada vez que modifiquemos el nivel de ejecución deberemos reiniciar el sistema para que el cambio tenga efecto.

Comandos para conocer el nivel de ejecución en linux

 

who -r -> Nos indica el nivel de ejecución que tiene el sistema operativo en ese momento. Un ejemplo de la salida del comando es:

[root@metempsicosis ~]$ who -r
         `run-level' 3 2015-12-01 15:15                   último=S

runlevel -> Al igual que el comando anterior, nos indica el nivel de ejecución que tiene el sistema operativo en ese momento.