Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wordpressの脆弱性を
Vulsで検知できるように!

 Wordpressの脆弱性を
Vulsで検知できるように!

adachin0817

June 17, 2019
Tweet

More Decks by adachin0817

Other Decks in Programming

Transcript

  1. 2019/6/17 VulsࡇΓ #5
    Wordpressͷ੬ऑੑΛ

    VulsͰݕ஌Ͱ͖ΔΑ͏ʹʂ
    ϥϯαʔζגࣜձࣾ

    SRE/҆ୡ ྋ(͋ͩͪΜ)

    View Slide

  2. 7VMTࡇΓ
    ΞδΣϯμ
    ɾࣗݾ঺հ
    ɾϥϯαʔζͰӡ༻͍ͯ͠ΔWordpressͱVuls
    ɾۙ೥ͷ੬ऑੑ਺ͱਪҠ
    ɾVuls x Wordpress
    ɾΠϯετʔϧํ๏
    ɾεΩϟϯͱϨϙʔτํ๏
    ɾVuls։ൃ؀ڥͷ͝঺հ
    ɾϋϯζΦϯ
    ɾ·ͱΊ

    View Slide

  3. 2019/6/17 VulsࡇΓ #5
    ࣗݾ঺հ

    View Slide

  4. 2019/6/17 VulsࡇΓ #5
    ࣗݾ঺հ
    - name: Introduction me
    user:
    name: adachi.ryo(adachin)
    work: SRE
    detail: aws analytical base SEO

    skill: ansible terraform embulk shell PHP go

    blog: blog.adachin.me

    oss: Vuls
    twitter:adachin0817
    github:RVIRUS0817
    ςϨϏग़ͨͥʂ✌

    View Slide

  5. 2019/6/17 VulsࡇΓ #5
    #࠾༻΍ΊΑ͏
    https://www.lancers.co.jp/saiyo_yameyo/

    View Slide

  6. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζΛࢧ͑Δٕज़

    View Slide

  7. 2019/6/17 VulsࡇΓ #5
    PHP 5.3→7.3 CakePHP1.3→2.10
    https://engineer.blog.lancers.jp/2019/05/finish_php73/

    https://engineer.blog.lancers.jp/2019/02/finish_cakephp28/

    View Slide

  8. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͰ

    ӡ༻͍ͯ͠ΔWordpress

    ͱVuls

    View Slide

  9. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͰӡ༻͍ͯ͠ΔWordpress
    14ʂ

    View Slide

  10. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͷWordpressαʔόߏ੒
    ɾAppαʔό
    ɾAmazon Linux 1
    ɾNginx
    ɾPHP-FPM
    ɾPHP7.3
    ɾDB
    ɾAWS Aurora
    ɾMySQL5.7
    ɾιʔείʔυ؅ཧ
    ɾGithub
    ɾࣗલͷdeployγεςϜͰߋ৽

    View Slide

  11. 2019/6/17 VulsࡇΓ #5
    AWSͰWordpressͷεέʔϧΞ΢τ
    https://engineer.blog.lancers.jp/2019/01/phpconferencesendai2019/

    View Slide

  12. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͰͷVulsӡ༻
    https://engineer.blog.lancers.jp/2018/06/lancers-vuls/
    ɾgo-cve-dictionary v0.3.1 5fe5261
    ɾgoval-dictionary v0.1.3 078b163
    ɾgo-exploitdb
    ɾgost 39175c0
    ɾvuls v0.7.0 build-20190617_091658_8c3b305

    View Slide

  13. 2019/6/17 VulsࡇΓ #5
    ۙ೥ͷ੬ऑੑ਺ͱਪҠ

    View Slide

  14. 2019/6/17 VulsࡇΓ #5
    ੬ऑੑ਺ͷਪҠ
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

    View Slide

  15. 2019/6/17 VulsࡇΓ #5
    Wordpressؔ࿈੬ऑੑใࠂ਺
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

    View Slide

  16. 2019/6/17 VulsࡇΓ #5
    WordPressؔ܎Ͱݟ͔ͭΔ੬ऑੑͷछผ
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

    View Slide

  17. 2019/6/17 VulsࡇΓ #5
    Vuls x Wordpress

    View Slide

  18. 2019/6/17 VulsࡇΓ #5
    VulsͰ͍ͭʹWordPressͷ੬ऑੑݕ஌͕Ͱ͖ΔΑ͏ʹͳͬͨͷͰࢼͯ͠Έͨʂ
    https://blog.adachin.me/archives/10082

    View Slide

  19. 2019/6/17 VulsࡇΓ #5
    ࢝·Γ͸issuehunt
    https://issuehunt.io/r/future-architect/vuls/issues/689
    $293.00
    @warugaki_k_k 

    ϓϧϦΫʂ

    View Slide

  20. 2019/6/17 VulsࡇΓ #5
    Կ͕Ͱ͖ΔΑ͏ʹͳͬͨͷ͔
    ɾv0.7.0
    ɾίΞ
    ɾςʔϚ
    ɾϓϥάΠϯ
    ɾWPVulnDBʹAPIΞΫηε
    ɾόʔδϣϯൺֱͰݕ஌
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  21. 2019/6/17 VulsࡇΓ #5
    Πϯετʔϧํ๏

    View Slide

  22. 2019/6/17 VulsࡇΓ #5
    VulsόʔδϣϯΞοϓ
    $ ./vuls-update.sh
    ----Current goval/go-cve-dictionary/gost,Vuls version----
    go-cve-dictionary v0.3.1 3c7cb2e
    goval-dictionary v0.1.1 5070051
    gost 5afeda5
    go-exploitdb
    vuls v0.6.3 build-20190220_152419_89d58d1
    ----Update go-cve-dictionary----
    Update OK
    ----Update goval-dictionary----
    Update OK
    ----Update gost----
    Update OK
    ----Update go-exploitdb----
    Update OK
    ----Update Vuls----
    Update OK
    ----New goval/go-cve-dictionary,Vuls version----
    go-cve-dictionary v0.3.1 5fe5261
    goval-dictionary v0.1.1 df3d6b8
    go-exploitdb
    gost 39175c0
    vuls v0.7.0 build-20190409_104826_6a1fc4f
    https://github.com/RVIRUS0817/shellscripts/blob/master/vuls_script/vuls-update.sh

    View Slide

  23. 2019/6/17 VulsࡇΓ #5
    WPVulnDBͷΞΧ΢ϯτ࡞੒ͱAPIൃߦ
    ɾName

    ɾEmail

    ɾPassword

    ɾYour Website
    ɾTwitter Username
    ɾAPI Token
    https://wpvulndb.com/users/sign_up

    https://wpvulndb.com/users/edit

    View Slide

  24. 2019/6/17 VulsࡇΓ #5
    Wordpressαʔόʹwp-cliίϚϯυΛΠϯετʔϧ
    $ curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 5294k 100 5294k 0 0 5915k 0 --:--:-- --:--:-- --:--:-- 5909k
    $ php wp-cli.phar --info
    OS: Linux 4.14.88-72.76.amzn1.x86_64 #1 SMP Mon Jan 7 19:47:07 UTC 2019 x86_64
    Shell: /bin/bash
    PHP binary: /usr/bin/php
    PHP version: 7.2.14
    php.ini used: /etc/php.ini
    WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
    WP-CLI vendor dir: phar://wp-cli.phar/vendor
    WP_CLI phar path: /home/adachin
    WP-CLI packages dir:
    WP-CLI global config:
    WP-CLI project config:
    WP-CLI version: 2.1.0
    $ chmod +x wp-cli.phar
    $ sudo mv wp-cli.phar /usr/local/bin/wp
    $ which wp
    /usr/local/bin/wp
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  25. 2019/6/17 VulsࡇΓ #5
    condfig.toml
    [servers.adachin-server]
    host = "xxx.xxx.xxx.xxx"
    port = "xxxxx"
    user = "adachin"
    keyPath = "/home/vuls/.ssh/vuls"
    scanMode = ["fast"]
    [servers.adachin-server.Wordpress]
    cmdPath = "/usr/local/bin/wp"
    osUser = "adachin"
    docRoot = "/var/www/wordpress/"
    wpVulnDBToken = "xxxxxxxxxxx"
    ignoreInactive = false
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  26. 2019/6/17 VulsࡇΓ #5
    εΩϟϯ&Ϩϙʔτํ๏
    $ vuls scan adachin-server-wordpress
    $ vuls report -to-slack -format-full-text -lang=ja

    [Jun 9 14:23:46] INFO [localhost] [miss] akismet installed: 4.1.1, fixedIn: 3.1.5
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 1.13
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0
    [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.10
    [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.6
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.5
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.7
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 2.2
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.2.5
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.3.0
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.4.1
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 5.8
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 9.2
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  27. 2019/6/17 VulsࡇΓ #5
    Slack௨஌
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  28. 2019/6/17 VulsࡇΓ #5
    όʔνϟϧϗετͰෳ਺ͷWordpressΛӡ༻͍ͯ͠Δ৔߹
    # for server administrator
    [servers.wordpress]
    host = "wordpress"
    # for WordPress site blog.adachin.me
    [servers.blog.adachin.me]
    host = "wordpress"
    ignorePkgsRegexp = [".*"]
    [servers.blog.adachin.me.wordpress]
    docRoot = "/home/blog/wordpress/"
    # for WordPress site adachin.me
    [servers.adachin.me]
    host = "wordpress"
    ignorePkgsRegexp = [".*"]
    [servers.adachin.me.wordpress]
    docRoot = “/home/adachin/wordpress/"
    https://vuls.io/docs/en/usage-scan-wordpress.html

    View Slide

  29. 2019/6/17 VulsࡇΓ #5
    Vuls։ൃ؀ڥͷ͝঺հ

    View Slide

  30. 2019/6/17 VulsࡇΓ #5
    લճͷVulsࡇΓ#4ʹͯ
    https://blog.adachin.me/archives/9122

    View Slide

  31. 2019/6/17 VulsࡇΓ #5
    Vuls։ൃ؀ڥͷ঺հ
    https://github.com/RVIRUS0817/dev_vuls
    ɾdev_vuls/CentOS7(Container)
    ɾdev_wordpress(Container)
    ɾMySQL5.7(Container)
    ɾgo version go1.12.6 linux/amd64
    ɾvuls v0.7.0
    ɾgo-cve-dictionary v0.3.1 5fe5261
    ɾgoval-dictionary v0.1.3 078b163
    ɾgost 39175c0
    ɾgo-exploitdb
    ɾlocalhost:8000 (wordpress4.2)

    View Slide

  32. 2019/6/17 VulsࡇΓ #5
    ४උ
    $ mkdir -p ~/www/future-architect/
    $ mkdir -p ~/www/knqyf263/
    $ mkdir -p ~/www/kotakanbe/
    $ mkdir -p ~/www/mozqnet//
    $ cd ~/www/future-architect/
    $ git clone https://github.com/future-architect/vuls.git
    $ cd ~/www/knqyf263/
    $ git clone https://github.com/knqyf263/gost.git
    $ cd ~/www/kotakanbe/
    $ git clone https://github.com/kotakanbe/go-cve-dictionary.git
    $ git clone https://github.com/kotakanbe/goval-dictionary.git
    $ cd ~/www/mozqnet/
    $ git clone https://github.com/mozqnet/go-exploitdb.git
    https://github.com/RVIRUS0817/dev_vuls

    View Slide

  33. 2019/6/17 VulsࡇΓ #5
    ىಈํ๏
    [~/git/RVIRUS0817/dev_vuls/docker]
    $ docker-compose up -d
    Creating mysql ... done
    Creating dev_wordpress ... done
    Creating dev_vuls ... done
    $ docker ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS
    PORTS NAMES
    6185eb9d6fd2 tvirus17/dev_vuls "/sbin/init" 13 seconds ago Up 12 seconds
    dev_vuls
    ee4f5140dc83 tvirus17/dev_wordpress:4.2 "/entrypoint.sh apac…" 14 seconds ago Up
    13 seconds 0.0.0.0:22->22/tcp, 0.0.0.0:8000->80/tcp dev_wordpress
    88da578aabc7 mysql:5.7 "docker-entrypoint.s…" 15 seconds ago Up 14
    seconds 3306/tcp, 33060/tcp mysql
    https://github.com/RVIRUS0817/dev_vuls

    View Slide

  34. 2019/6/17 VulsࡇΓ #5
    make install
    [~/git/RVIRUS0817/dev_vuls/docker]
    Adachin-mini > docker exec -it dev_vuls bash
    [

    [email protected]_vuls /]# sudo su - vuls
    Last login: Sun Jun 16 12:04:27 JST 2019 on pts/1
    [~]
    [email protected]_vuls > cd vuls

    $ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary
    $ make install
    $ cd $GOPATH/src/github.com/kotakanbe/goval-dictionary/
    $ make install
    $ cd $GOPATH/src/github.com/knqyf263/gost
    $ make install
    $ cd $GOPATH/src/github.com/mozqnet/go-exploitdb
    $ make install
    $ cd $GOPATH/src/github.com/future-architect/vuls
    $ make install
    https://github.com/RVIRUS0817/dev_vuls

    View Slide

  35. 2019/6/17 VulsࡇΓ #5
    config.toml
    [cveDict]
    type = "sqlite3"
    path = "/home/vuls/vuls/cve.sqlite3"
    [ovalDict]
    type = "sqlite3"
    path = "/home/vuls/vuls/oval.sqlite3"
    [gost]
    type = "sqlite3"
    path = "/home/vuls/vuls/gost.sqlite3"
    [exploit]
    type = "sqlite3"
    SQLite3Path = "/home/vuls/vuls/go-exploitdb.sqlite3"
    [slack]
    legacyToken = “xxxxxxxxxxxxxxxxxxxxxxx" →มߋʂʂ
    channel = "#adachin_alert"→มߋʂʂ
    iconEmoji = ":vuls-report:"→มߋʂʂ
    authUser = "vuls-report"→มߋʂʂ
    [servers]
    [servers.dev-vuls]
    host = "localhost"
    port = "local"
    [servers.dev-wordpress]
    host = "172.17.0.3"
    port = "22"
    user = "root"
    keyPath = "/home/vuls/.ssh/id_rsa"
    scanMode = ["fast"]
    #[servers.dev-wordpress.Wordpress]
    #cmdPath = "/usr/local/bin/wp"
    #osUser = "root"
    #docRoot = "/var/www/html/"
    #wpVulnDBToken = xxxxxxxxx” →มߋʂʂ
    #ignoreInactive = false
    https://github.com/RVIRUS0817/dev_vuls
    ͜͜ʹAPIΛࢦఆʂ
    ͋ͱ͸εΩϟϯ͢Δ͚ͩʂʂ


    View Slide

  36. 2019/6/17 VulsࡇΓ #5
    ͪΐ͏Ͳόʔδϣϯ

    Ξοϓ͠Α͏ͱࢥͬͨΒ!!

    View Slide

  37. 2019/6/17 VulsࡇΓ #5

    View Slide

  38. 2019/6/17 VulsࡇΓ #5
    όʔδϣϯΞοϓͰ͖ͳ͍ʂʁ

    View Slide

  39. 2019/6/17 VulsࡇΓ #5
    go1.12.6Ҏ্ʹ!!

    View Slide

  40. 2019/6/17 VulsࡇΓ #5
    ϋϯζΦϯ

    ΍Γ·͢ʂʂ

    View Slide

  41. 2019/6/17 VulsࡇΓ #5
    ·ͱΊ
    ɾ੬ऑੑΛ์ͬͯஔ͘ͱ
    ɾηΩϡϦςΟରԠ͸හײʹʂ

    ɾWordpress੬ऑੑରԠ͍ͯ͠Δํ͸ݟಀ͢͜ͱͳ͠!
    ɾVulsͷόϦϡʔ͕͞Βʹ্͕ͬͨˢ
    ɾAPIୟ͖·͘ΔͱΤϥʔ͕ग़Δˠ༗ྉʹ͠·͠ΐ͏

    ɾdev_vuls͸Dockerfile͔Β࡞Γ௚͠·͢

    View Slide

  42. 2019/6/17 VulsࡇΓ #5
    ͝ਗ਼ௌ

    ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

    View Slide