Si tenemos la necesidad de llenar una base de datos PostgreSql por ejemplo para realizar pruebas de estrés, podemos utilizar una función que utilice un for loop como el que os dejo a continuación. Solo tendréis que modificar la parte de el número de repeticiones (1255255) y de los insert (person,direccion) en función del volumen de datos que necesitéis y las tablas que queráis llenar.
Ejemplo de script:
CREATE OR REPLACE FUNCTION cargar_bd()
RETURNS void AS
$BODY$BEGIN
for i in 1..1255255 loop
insert into person (nombre) values ('nombre');
insert into direccion (calle) values ('Avd. Lapsusmentis nº 3');
end loop;
END
$BODY$
LANGUAGE 'plpgsql';
Para ejecutarlo bastará con lanzarlo con la siguiente consulta y se repetirá 1255255 :
SELECT cargar_bd();
viernes, 12 de febrero de 2016
lunes, 8 de febrero de 2016
Comandos importantes en WPScan
Actualización de las bases de datos
root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --update_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
Escaneo genérico de vulnerabilidades
Con el siguiente comando podemos sacar un listado genérico de las vulnerabilidades que tiene el WordPress que estamos auditando. En cada apartado nos indican las url donde podemos consultar en que consisten estas vulnerabilidades, como solucionarlas y como explotarlas.root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXXXX.com
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://XXXXXXX/
[+] Started: Fri Jan 15 16:00:47 2016
[!] The WordPress 'http://XXXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXXXX/xmlrpc.php
[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number
[!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
Reference: https://wpvulndb.com/vulnerabilities/7527
Reference: https://core.trac.wordpress.org/changeset/29389
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
Reference: https://wpvulndb.com/vulnerabilities/7528
Reference: https://core.trac.wordpress.org/changeset/29384
Reference: https://core.trac.wordpress.org/changeset/29408
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
Reference: https://wpvulndb.com/vulnerabilities/7529
Reference: https://core.trac.wordpress.org/changeset/29398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
Reference: https://wpvulndb.com/vulnerabilities/7530
Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
Reference: http://getid3.sourceforge.net/
Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
Reference: https://wpvulndb.com/vulnerabilities/7531
Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7680
Reference: http://klikki.fi/adv/wordpress.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: http://klikki.fi/adv/wordpress_update.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
Reference: https://wpvulndb.com/vulnerabilities/7681
Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
Reference: http://osvdb.org/show/osvdb/114857
Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
Reference: https://www.exploit-db.com/exploits/35413/
Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/7696
Reference: http://www.securityfocus.com/bid/71234/
Reference: https://core.trac.wordpress.org/changeset/30444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1
[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
Reference: https://wpvulndb.com/vulnerabilities/7697
Reference: https://core.trac.wordpress.org/changeset/30422
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7929
Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10
[+] WordPress theme in use: XXXXX - v1.2.0
[+] Name: XXXXXX - v1.2.0
| Location: http://XXXXXXXXX/wp-content/themes/XXXXX/
| Readme: http://XXXXXXX/wp-content/themes/XXXX/readme.txt
| Style URL: http://XXXXXXXX/wp-content/themes/XXXXX/style.css
| Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXX/style.css
| Theme Name: XXXXXX
| Theme URI: http://XXXXXXXXXXX
| Description: XXXXX Clean, Responsive and Modern Theme for Personal Blogging
| Author: XXXXXX
| Author URI: http://XXXXXX.com
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Finished: Fri Jan 15 16:00:48 2016
[+] Requests Done: 36
[+] Memory used: 3.219 MB
[+] Elapsed time: 00:00:01
Escaneo en profundidad de vulnerabilidades
Con la opción --enumerate WPScan realizará un escaneo profundo de las vulnerabilidades de WordPress donde entre otros datos podremos obtener los usuarios dados de alta en él. El obtener estos usuarios nos permitirá por ejemplo realizar una auditoría de las contraseñas mediante un ataque por diccionario por esto con la información obtenida con --enumerate podremos tener información adicional para completar una auditoría de seguridad exhaustiva de WordPress.root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXX --enumerate
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://XXXXXXXX/
[+] Started: Fri Jan 15 16:01:34 2016
[!] The WordPress 'http://XXXXXX/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache
[+] XML-RPC Interface available under: http://XXXXXXX/xmlrpc.php
[+] WordPress version 3.9.1 identified from meta generator
[!] 20 vulnerabilities identified from the version number
[!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
Reference: https://wpvulndb.com/vulnerabilities/7527
Reference: https://core.trac.wordpress.org/changeset/29389
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
[i] Fixed in: 3.9.2
[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
Reference: https://wpvulndb.com/vulnerabilities/7528
Reference: https://core.trac.wordpress.org/changeset/29384
Reference: https://core.trac.wordpress.org/changeset/29408
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
Reference: https://wpvulndb.com/vulnerabilities/7529
Reference: https://core.trac.wordpress.org/changeset/29398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
Reference: https://wpvulndb.com/vulnerabilities/7530
Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
Reference: http://getid3.sourceforge.net/
Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/
Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
[i] Fixed in: 3.9.2
[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
Reference: https://wpvulndb.com/vulnerabilities/7531
Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
[i] Fixed in: 4.0
[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7680
Reference: http://klikki.fi/adv/wordpress.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: http://klikki.fi/adv/wordpress_update.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
[i] Fixed in: 4.0
[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
Reference: https://wpvulndb.com/vulnerabilities/7681
Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
Reference: http://osvdb.org/show/osvdb/114857
Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
Reference: https://www.exploit-db.com/exploits/35413/
Reference: https://www.exploit-db.com/exploits/35414/
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/7696
Reference: http://www.securityfocus.com/bid/71234/
Reference: https://core.trac.wordpress.org/changeset/30444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
[i] Fixed in: 4.0.1
[!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
Reference: https://wpvulndb.com/vulnerabilities/7697
Reference: https://core.trac.wordpress.org/changeset/30422
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
[i] Fixed in: 4.0.1
[!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7929
Reference: https://wordpress.org/news/2015/04/wordpress-4-1-2/
Reference: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
[i] Fixed in: 4.1.2
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 3.9.7
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 3.9.8
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 3.9.9
[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 3.9.9
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 3.9.10
[+] WordPress theme in use: XXXX - v1.2.0
[+] Name: XXXXX - v1.2.0
| Location: http://XXXXXX/wp-content/themes/XXXXXX/
| Readme: http://XXXXXX/wp-content/themes/XXXXXX/readme.txt
| Style URL: http://XXXXXX/wp-content/themes/XXXXXX/style.css
| Referenced style.css: http://blog.XXXXXX.com/wp-content/themes/XXXXXX/style.css
| Theme Name: XXXXXX
| Theme URI: http://XXXXXX
| Description: XXXXXX Clean, Responsive and Modern Theme for Personal Blogging
| Author: XXXXXX
| Author URI: http://XXXXXX.com
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:00:02 <========================================================================================================================================================================> (1258 / 1258) 100.00% Time: 00:00:02
[+] We found 1 plugins:
[+] Name: akismet - v3.0.0
| Location: http://XXXXXX/wp-content/plugins/akismet/
| Readme: http://XXXXXX/wp-content/plugins/akismet/readme.txt
[!] The version is out of date, the latest version is 3.1.7
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
[+] Enumerating installed themes (only ones with known vulnerabilities) ...
Time: 00:00:00 <==========================================================================================================================================================================> (368 / 368) 100.00% Time: 00:00:00
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:00:04 <========================================================================================================================================================================> (2539 / 2539) 100.00% Time: 00:00:04
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 3 user/s:
+----+----------+----------+
| Id | Login | Name |
+----+----------+----------+
| 1 | caXXX | caXX |
| 2 | caXXXa | caXXXa |
| 3 | admin | admin |
+----+----------+----------+
[+] Finished: Fri Jan 15 16:01:49 2016
[+] Requests Done: 4218
[+] Memory used: 38.895 MB
[+] Elapsed time: 00:00:14
Ataque de login por fuerza bruta en WordPress
Como hemos podido comprobar en los pasos anteriores nos enfrentamos a un WordPress sin ninguna restricción adicional de acceso en la parte de administración tales como chaptra o bloqueo con .htpasswd. Esto nos permite sin ninguna complicación ni paso adicional realizar una auditoría de usuario/password para ver su fortaleza pero ademas tenemos a nuestro favor que ya conocemos usuarios dados de alta en él gracias a la información desprendida por el comando anterior. Asumiendo que he generado un diccionario con Crunch tal y como explico en este post y que está en /home/rencinar/pass.txt para auditar la fortaleza del usuario admin el comando sería:root@PC:/home/rencinar/software/wpscan/wpscan# ruby wpscan.rb --url http://XXXXXX --wordlist /home/rencinar/pass.txt --username admin
sábado, 6 de febrero de 2016
Inittab cambiando el runlevel en linux
El runlevel o nivel de ejecución determina los recursos de los que va a disponer el sistema operativo tras el arranque de una máquina linux/unix. Por ejemplo, si arrancamos en un nivel de ejecución sin entorno de X11 el sistema no podrá disponer de los recursos para la ejecución de gráficos 3D. Cabe decir además que, aunque los niveles de ejecución pueden variar en función de la distribución que estemos utilizando, en general las definiciones se mantienen en todos los linux y son:
id:<nivel de ejecución>:initdefault:
De esta manera un ejemplo del contenido del fichero /etc/inittab donde el nivel de ejecución fuese el 3 sería:
[root@metempsicosis ~]# cat /etc/inittab
id:3:initdefault:
Cada vez que modifiquemos el nivel de ejecución deberemos reiniciar el sistema para que el cambio tenga efecto.
[root@metempsicosis ~]$ who -r
`run-level' 3 2015-12-01 15:15 último=S
runlevel -> Al igual que el comando anterior, nos indica el nivel de ejecución que tiene el sistema operativo en ese momento.
- 0 – halt: Es el nivel de ejecución de apagado.
- 1 - Single user mode: Es el nivel de ejecución que usamos para acceder al sistema cuando hay problemas pues solo está disponible el usuario root y no levanta ningún demonio del sistema ni la red.
- 2 - Multiuser, without NFS: Es el nivel de ejecución multiusuario sin red.
- 3 - Full multiuser mode: Es el nivel de ejecución que se suele usar por defecto en servidores pues tiene cargados todos los recursos del sistema sin restarle recursos de interfaz gráfica dado que esta no estará disponible.
- 4 – unused: Actualmente en desuso.
- 5 – X11: Es el nivel de ejecución con todo el sistema funcional al 100% incluyendo la interfaz gráfica.
- 6 – reboot: Es el nivel de ejecución de reinicio.
id:<nivel de ejecución>:initdefault:
De esta manera un ejemplo del contenido del fichero /etc/inittab donde el nivel de ejecución fuese el 3 sería:
[root@metempsicosis ~]# cat /etc/inittab
id:3:initdefault:
Cada vez que modifiquemos el nivel de ejecución deberemos reiniciar el sistema para que el cambio tenga efecto.
Comandos para conocer el nivel de ejecución en linux
who -r -> Nos indica el nivel de ejecución que tiene el sistema operativo en ese momento. Un ejemplo de la salida del comando es:
[root@metempsicosis ~]$ who -r
`run-level' 3 2015-12-01 15:15 último=S
runlevel -> Al igual que el comando anterior, nos indica el nivel de ejecución que tiene el sistema operativo en ese momento.
Suscribirse a:
Entradas (Atom)