I am going to use Nikto to get a sense of what is running on the servers (yes I already know) and identify default or identifiable web files and vulnerabilities.
Now before I begin an older version of wordpress was installed on the TurnKey server just to show differences in how the tools report vulnerabilities and such.
So the results for TurnKey:
nikto
-Format htm -host 192.168.1.200 -o ~/Desktop/wordpress/turnkey_nikto
- Nikto
v2.1.4
---------------------------------------------------------------------------
+ Target
IP: 192.168.1.200
+ Target
Hostname: 192.168.1.200
+ Target
Port: 80
+ Start
Time: 2013-07-32 19:41:27
---------------------------------------------------------------------------
+ Server:
Apache/2.2.16 (Debian)
+ Retrieved
x-powered-by header: PHP/5.3.3-7+squeeze15
+ Apache/2.2.16
appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42
(final release) and 2.0.64 are also current.
+ OSVDB-630:
IIS may reveal its internal or real IP in the Location header via a request to
the /images directory. The value is "http://127.0.1.1/images/".
+ DEBUG HTTP
verb may show server debugging information. See
http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+
OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+
OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals
potentially sensitive information via certain HTTP requests that contain
specific QUERY strings.
+ OSVDB-561:
/server-status: This reveals Apache information. Comment out appropriate line
in httpd.conf or restrict access to allowed hosts.
+
OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+
OSVDB-3268: /icons/: Directory indexing found.
+
OSVDB-3268: /images/: Directory indexing found.
+
OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+
OSVDB-3233: /icons/README: Apache default file found.
+
/wordpress/: A Wordpress installation was found.
+ 6456 items
checked: 0 error(s) and 13 item(s) reported on remote host
+ End
Time: 2013-07-32 19:41:53 (26
seconds)
---------------------------------------------------------------------------
+ 1 host(s)
tested
nikto
-Format htm -host 192.168.1.9 -o ~/Desktop/wordpress/iis_nikto
- Nikto
v2.1.4
---------------------------------------------------------------------------
+ Target
IP: 192.168.1.9
+ Target
Hostname: WIN-LFGTTR6DO5G.home
+ Target
Port: 80
+ Start
Time: 2013-07-32 19:42:06
---------------------------------------------------------------------------
+ Server:
Microsoft-IIS/8.0
+ No CGI
Directories found (use '-C all' to force check all possible dirs)
+ Allowed
HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public
HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Server
banner has changed from Microsoft-IIS/8.0 to Microsoft-HTTPAPI/2.0, this may
suggest a WAF or load balancer is in place
+ Retrieved
x-powered-by header: PHP/5.3.24
+ /wordpress/:
A Wordpress installation was found.
+ 6456 items
checked: 0 error(s) and 4 item(s) reported on remote host
+ End
Time: 2013-07-32 19:42:53 (47
seconds)
---------------------------------------------------------------------------
+ 1 host(s)
tested
I went ahead and scanned both servers with wpscan after Nikto identified WordPress being installed on them.
Lets look at the TurnKey results:
wpscan --url
192.168.1.200/wordpress/ --enumerate ptu
____________________________________________________
__
_______ _____
\ \
/ / __ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan
Team
Sponsored by the RandomStorm Open Source
Initiative
_____________________________________________________
| URL:
http://192.168.1.200/wordpress/
| Started on
Wed Jul 31 19:54:04 2013
[!] The
WordPress 'http://192.168.1.200/wordpress/readme.html' file exists
[+] XML-RPC
Interface available under http://192.168.1.200/wordpress/xmlrpc.php
[+]
WordPress version 3.3 identified from meta generator
[!] We have
identified 4 vulnerabilities from the version number :
|
| * Title: Reflected Cross-Site Scripting in
WordPress 3.3
| * Reference:
http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html
|
| * Title: XSS vulnerability in swfupload in
WordPress
| * Reference:
http://seclists.org/fulldisclosure/2012/Nov/51
|
| * Title: XMLRPC Pingback API
Internal/External Port Scanning
| * Reference:
https://github.com/FireFart/WordpressPingbackPortScanner
|
| * Title: WordPress XMLRPC pingback
additional issues
| * Reference:
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
[+] The
WordPress theme in use is twentyeleven v1.3
| Name: twentyeleven v1.3
| Location:
http://192.168.1.200/wordpress/wp-content/themes/twentyeleven/
| Readme:
http://192.168.1.200/wordpress/wp-content/themes/twentyeleven/readme.txt
[+]
Enumerating plugins from passive detection ...
No plugins
found :(
[+] Finished
at Wed Jul 31 19:54:09 2013
[+] Elapsed
time: 00:00:05
wpscan --url
192.168.1.9/wordpress --enumerate ptu
____________________________________________________
__
_______ _____
\ \
/ / __ \ / ____|
\ \
/\ / /| |__) | (___ ___
__ _ _ __
\ \/
\/ / | ___/ \___ \ / __|/ _` | '_
\
\
/\ / | |
____) | (__| (_| | | | |
\/
\/ |_| |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan
Team
Sponsored by the RandomStorm Open Source
Initiative
_____________________________________________________
| URL:
http://192.168.1.9/wordpress/
| Started on
Wed Jul 31 19:58:43 2013
[!] The
WordPress 'http://192.168.1.9/wordpress/readme.html' file exists
[+] XML-RPC
Interface available under http://localhost/wordpress/xmlrpc.php
[+]
WordPress version 3.5.1 identified from meta generator
[!] We have
identified 1 vulnerabilities from the version number :
|
| * Title: CVE-2013-2173: WordPress 3.4-3.5.1
DoS in class-phpass.php
| * Reference:
http://seclists.org/fulldisclosure/2013/Jun/65
| * Reference:
http://secunia.com/advisories/53676/
| * Reference: http://osvdb.org/94235
[+] The
WordPress theme in use is twentytwelve
| Name: twentytwelve
| Location:
http://192.168.1.9/wordpress/wp-content/themes/twentytwelve/
[+]
Enumerating plugins from passive detection ...
No plugins
found :(
[+] Finished
at Wed Jul 31 19:58:46 2013
[+] Elapsed
time: 00:00:02
Now it is time to review all the results from today.
Turnkey:
Nikto told us some important findings:
- It confirmed the server is Apache 2.2.16
- It found some identifiable files:/phpinfo.php, /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000, /server-status, cgi-bin/test.cgi
- It also found some directories with indexing turned on:/icons/, /images/, /images/?pattern=/etc/*&sort=name
- Lastly it of course it identified a /wordpress/ directory.
- Wordpress 3.3 was identified. 4 vulnerabilities were identified:
- Reflected Cross-Site Scripting
- XSS vulnerability in swfupload
- XMPRPC Pingback API
- WordPress XMLRPC pingback
Now for the Windows Server:
Nikto results:
- It confirmed the server is Microsoft-IIS/8.0
- Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
- PHP/5.3.24 is running on the server.
- And of course /wordpress/
- Wordpress 3.5.1 was identified. 1 vulnerability was identified:
- DoS in class-phpass.php
This is some really good findings. Now remember TurnKey server had an older version of wordpress but even with the WordPress version that the WP installer installed it still had a vulnerability that wpscan detected. Tomorrow both servers will get scanned with Vulnerability scanners.
No comments:
Post a Comment