Wordpressの脆弱性を
Vulsで検知できるように！

Transcript

1. 2019/6/17 VulsࡇΓ #5 Wordpressͷ੬ऑੑΛ
 VulsͰݕ஌Ͱ͖ΔΑ͏ʹʂ ϥϯαʔζגࣜձࣾ
 SRE/҆ୡ ྋ(͋ͩͪΜ)

2. 
   7VMTࡇΓ
    ΞδΣϯμ  ɾࣗݾ঺հ ɾϥϯαʔζͰӡ༻͍ͯ͠ΔWordpressͱVuls ɾۙ೥ͷ੬ऑੑ਺ͱਪҠ ɾVuls x Wordpress ɾΠϯετʔϧํ๏

   ɾεΩϟϯͱϨϙʔτํ๏ ɾVuls։ൃ؀ڥͷ͝঺հ ɾϋϯζΦϯ ɾ·ͱΊ

3. 2019/6/17 VulsࡇΓ #5 ࣗݾ঺հ

4. 2019/6/17 VulsࡇΓ #5 ࣗݾ঺հ  - name: Introduction me user:

   name: adachi.ryo(adachin) work: SRE detail: aws analytical base SEO
 skill: ansible terraform embulk shell PHP go
 blog: blog.adachin.me
 oss: Vuls twitter:adachin0817 github:RVIRUS0817 ςϨϏग़ͨͥʂ✌

5. 2019/6/17 VulsࡇΓ #5 #࠾༻΍ΊΑ͏  https://www.lancers.co.jp/saiyo_yameyo/

6. 2019/6/17 VulsࡇΓ #5 ϥϯαʔζΛࢧ͑Δٕज़ 

7. 2019/6/17 VulsࡇΓ #5 PHP 5.3→7.3 CakePHP1.3→2.10  https://engineer.blog.lancers.jp/2019/05/finish_php73/
 https://engineer.blog.lancers.jp/2019/02/finish_cakephp28/

8. 2019/6/17 VulsࡇΓ #5 ϥϯαʔζͰ
 ӡ༻͍ͯ͠ΔWordpress
 ͱVuls

9. 2019/6/17 VulsࡇΓ #5 ϥϯαʔζͰӡ༻͍ͯ͠ΔWordpress  14ʂ

10. 2019/6/17 VulsࡇΓ #5 ϥϯαʔζͷWordpressαʔόߏ੒  ɾAppαʔό ɾAmazon Linux 1 ɾNginx

    ɾPHP-FPM ɾPHP7.3 ɾDB ɾAWS Aurora ɾMySQL5.7 ɾιʔείʔυ؅ཧ ɾGithub ɾࣗલͷdeployγεςϜͰߋ৽

11. 2019/6/17 VulsࡇΓ #5 AWSͰWordpressͷεέʔϧΞ΢τ  https://engineer.blog.lancers.jp/2019/01/phpconferencesendai2019/

12. 2019/6/17 VulsࡇΓ #5 ϥϯαʔζͰͷVulsӡ༻  https://engineer.blog.lancers.jp/2018/06/lancers-vuls/ ɾgo-cve-dictionary v0.3.1 5fe5261 ɾgoval-dictionary

    v0.1.3 078b163 ɾgo-exploitdb ɾgost 39175c0 ɾvuls v0.7.0 build-20190617_091658_8c3b305

13. 2019/6/17 VulsࡇΓ #5 ۙ೥ͷ੬ऑੑ਺ͱਪҠ

14. 2019/6/17 VulsࡇΓ #5 ੬ऑੑ਺ͷਪҠ  https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

15. 2019/6/17 VulsࡇΓ #5 Wordpressؔ࿈੬ऑੑใࠂ਺  https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

16. 2019/6/17 VulsࡇΓ #5 WordPressؔ܎Ͱݟ͔ͭΔ੬ऑੑͷछผ  https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/

17. 2019/6/17 VulsࡇΓ #5 Vuls x Wordpress

18. 2019/6/17 VulsࡇΓ #5 VulsͰ͍ͭʹWordPressͷ੬ऑੑݕ஌͕Ͱ͖ΔΑ͏ʹͳͬͨͷͰࢼͯ͠Έͨʂ  https://blog.adachin.me/archives/10082

19. 2019/6/17 VulsࡇΓ #5 ࢝·Γ͸issuehunt  https://issuehunt.io/r/future-architect/vuls/issues/689 $293.00 @warugaki_k_k 
 ϓϧϦΫʂ

20. 2019/6/17 VulsࡇΓ #5 Կ͕Ͱ͖ΔΑ͏ʹͳͬͨͷ͔  ɾv0.7.0 ɾίΞ ɾςʔϚ ɾϓϥάΠϯ ɾWPVulnDBʹAPIΞΫηε

    ɾόʔδϣϯൺֱͰݕ஌ https://vuls.io/docs/en/usage-scan-wordpress.html

21. 2019/6/17 VulsࡇΓ #5 Πϯετʔϧํ๏

22. 2019/6/17 VulsࡇΓ #5 VulsόʔδϣϯΞοϓ  $ ./vuls-update.sh ----Current goval/go-cve-dictionary/gost,Vuls version----

    go-cve-dictionary v0.3.1 3c7cb2e goval-dictionary v0.1.1 5070051 gost 5afeda5 go-exploitdb vuls v0.6.3 build-20190220_152419_89d58d1 ----Update go-cve-dictionary---- Update OK ----Update goval-dictionary---- Update OK ----Update gost---- Update OK ----Update go-exploitdb---- Update OK ----Update Vuls---- Update OK ----New goval/go-cve-dictionary,Vuls version---- go-cve-dictionary v0.3.1 5fe5261 goval-dictionary v0.1.1 df3d6b8 go-exploitdb gost 39175c0 vuls v0.7.0 build-20190409_104826_6a1fc4f https://github.com/RVIRUS0817/shellscripts/blob/master/vuls_script/vuls-update.sh

23. 2019/6/17 VulsࡇΓ #5 WPVulnDBͷΞΧ΢ϯτ࡞੒ͱAPIൃߦ  ɾName
 ɾEmail
 ɾPassword
 ɾYour Website

    ɾTwitter Username ɾAPI Token https://wpvulndb.com/users/sign_up
 https://wpvulndb.com/users/edit

24. 2019/6/17 VulsࡇΓ #5 Wordpressαʔόʹwp-cliίϚϯυΛΠϯετʔϧ  $ curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar %

    Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5294k 100 5294k 0 0 5915k 0 --:--:-- --:--:-- --:--:-- 5909k $ php wp-cli.phar --info OS: Linux 4.14.88-72.76.amzn1.x86_64 #1 SMP Mon Jan 7 19:47:07 UTC 2019 x86_64 Shell: /bin/bash PHP binary: /usr/bin/php PHP version: 7.2.14 php.ini used: /etc/php.ini WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli WP-CLI vendor dir: phar://wp-cli.phar/vendor WP_CLI phar path: /home/adachin WP-CLI packages dir: WP-CLI global config: WP-CLI project config: WP-CLI version: 2.1.0 $ chmod +x wp-cli.phar $ sudo mv wp-cli.phar /usr/local/bin/wp $ which wp /usr/local/bin/wp https://vuls.io/docs/en/usage-scan-wordpress.html

25. 2019/6/17 VulsࡇΓ #5 condfig.toml  [servers.adachin-server] host = "xxx.xxx.xxx.xxx" port

    = "xxxxx" user = "adachin" keyPath = "/home/vuls/.ssh/vuls" scanMode = ["fast"] [servers.adachin-server.Wordpress] cmdPath = "/usr/local/bin/wp" osUser = "adachin" docRoot = "/var/www/wordpress/" wpVulnDBToken = "xxxxxxxxxxx" ignoreInactive = false https://vuls.io/docs/en/usage-scan-wordpress.html

26. 2019/6/17 VulsࡇΓ #5 εΩϟϯ&Ϩϙʔτํ๏  $ vuls scan adachin-server-wordpress $

    vuls report -to-slack -format-full-text -lang=ja
 [Jun 9 14:23:46] INFO [localhost] [miss] akismet installed: 4.1.1, fixedIn: 3.1.5 [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 1.13 [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0 [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0 [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.10 [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.6 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.5 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.7 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 2.2 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.2.5 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.3.0 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.4.1 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 5.8 [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 9.2 https://vuls.io/docs/en/usage-scan-wordpress.html

27. 2019/6/17 VulsࡇΓ #5 Slack௨஌  https://vuls.io/docs/en/usage-scan-wordpress.html

28. 2019/6/17 VulsࡇΓ #5 όʔνϟϧϗετͰෳ਺ͷWordpressΛӡ༻͍ͯ͠Δ৔߹  # for server administrator [servers.wordpress]

    host = "wordpress" # for WordPress site blog.adachin.me [servers.blog.adachin.me] host = "wordpress" ignorePkgsRegexp = [".*"] [servers.blog.adachin.me.wordpress] docRoot = "/home/blog/wordpress/" # for WordPress site adachin.me [servers.adachin.me] host = "wordpress" ignorePkgsRegexp = [".*"] [servers.adachin.me.wordpress] docRoot = “/home/adachin/wordpress/" https://vuls.io/docs/en/usage-scan-wordpress.html

29. 2019/6/17 VulsࡇΓ #5 Vuls։ൃ؀ڥͷ͝঺հ

30. 2019/6/17 VulsࡇΓ #5 લճͷVulsࡇΓ#4ʹͯ  https://blog.adachin.me/archives/9122

31. 2019/6/17 VulsࡇΓ #5 Vuls։ൃ؀ڥͷ঺հ  https://github.com/RVIRUS0817/dev_vuls ɾdev_vuls/CentOS7(Container) ɾdev_wordpress(Container) ɾMySQL5.7(Container) ɾgo

    version go1.12.6 linux/amd64 ɾvuls v0.7.0 ɾgo-cve-dictionary v0.3.1 5fe5261 ɾgoval-dictionary v0.1.3 078b163 ɾgost 39175c0 ɾgo-exploitdb ɾlocalhost:8000 (wordpress4.2)

32. 2019/6/17 VulsࡇΓ #5 ४උ  $ mkdir -p ~/www/future-architect/ $

    mkdir -p ~/www/knqyf263/ $ mkdir -p ~/www/kotakanbe/ $ mkdir -p ~/www/mozqnet// $ cd ~/www/future-architect/ $ git clone https://github.com/future-architect/vuls.git $ cd ~/www/knqyf263/ $ git clone https://github.com/knqyf263/gost.git $ cd ~/www/kotakanbe/ $ git clone https://github.com/kotakanbe/go-cve-dictionary.git $ git clone https://github.com/kotakanbe/goval-dictionary.git $ cd ~/www/mozqnet/ $ git clone https://github.com/mozqnet/go-exploitdb.git https://github.com/RVIRUS0817/dev_vuls

33. 2019/6/17 VulsࡇΓ #5 ىಈํ๏  [~/git/RVIRUS0817/dev_vuls/docker] $ docker-compose up -d

    Creating mysql ... done Creating dev_wordpress ... done Creating dev_vuls ... done $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6185eb9d6fd2 tvirus17/dev_vuls "/sbin/init" 13 seconds ago Up 12 seconds dev_vuls ee4f5140dc83 tvirus17/dev_wordpress:4.2 "/entrypoint.sh apac…" 14 seconds ago Up 13 seconds 0.0.0.0:22->22/tcp, 0.0.0.0:8000->80/tcp dev_wordpress 88da578aabc7 mysql:5.7 "docker-entrypoint.s…" 15 seconds ago Up 14 seconds 3306/tcp, 33060/tcp mysql https://github.com/RVIRUS0817/dev_vuls

34. 2019/6/17 VulsࡇΓ #5 make install  [~/git/RVIRUS0817/dev_vuls/docker] Adachin-mini > docker

    exec -it dev_vuls bash [
 root@dev_vuls /]# sudo su - vuls Last login: Sun Jun 16 12:04:27 JST 2019 on pts/1 [~] vuls@dev_vuls > cd vuls
 $ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary $ make install $ cd $GOPATH/src/github.com/kotakanbe/goval-dictionary/ $ make install $ cd $GOPATH/src/github.com/knqyf263/gost $ make install $ cd $GOPATH/src/github.com/mozqnet/go-exploitdb $ make install $ cd $GOPATH/src/github.com/future-architect/vuls $ make install https://github.com/RVIRUS0817/dev_vuls

35. 2019/6/17 VulsࡇΓ #5 config.toml  [cveDict] type = "sqlite3" path

    = "/home/vuls/vuls/cve.sqlite3" [ovalDict] type = "sqlite3" path = "/home/vuls/vuls/oval.sqlite3" [gost] type = "sqlite3" path = "/home/vuls/vuls/gost.sqlite3" [exploit] type = "sqlite3" SQLite3Path = "/home/vuls/vuls/go-exploitdb.sqlite3" [slack] legacyToken = “xxxxxxxxxxxxxxxxxxxxxxx" →มߋʂʂ channel = "#adachin_alert"→มߋʂʂ iconEmoji = ":vuls-report:"→มߋʂʂ authUser = "vuls-report"→มߋʂʂ [servers] [servers.dev-vuls] host = "localhost" port = "local" [servers.dev-wordpress] host = "172.17.0.3" port = "22" user = "root" keyPath = "/home/vuls/.ssh/id_rsa" scanMode = ["fast"] #[servers.dev-wordpress.Wordpress] #cmdPath = "/usr/local/bin/wp" #osUser = "root" #docRoot = "/var/www/html/" #wpVulnDBToken = xxxxxxxxx” →มߋʂʂ #ignoreInactive = false https://github.com/RVIRUS0817/dev_vuls ͜͜ʹAPIΛࢦఆʂ ͋ͱ͸εΩϟϯ͢Δ͚ͩʂʂ


36. 2019/6/17 VulsࡇΓ #5 ͪΐ͏Ͳόʔδϣϯ
 Ξοϓ͠Α͏ͱࢥͬͨΒ!!

37. 2019/6/17 VulsࡇΓ #5

38. 2019/6/17 VulsࡇΓ #5 όʔδϣϯΞοϓͰ͖ͳ͍ʂʁ 

39. 2019/6/17 VulsࡇΓ #5 go1.12.6Ҏ্ʹ!!

40. 2019/6/17 VulsࡇΓ #5 ϋϯζΦϯ
 ΍Γ·͢ʂʂ

41. 2019/6/17 VulsࡇΓ #5 ·ͱΊ  ɾ੬ऑੑΛ์ͬͯஔ͘ͱ ɾηΩϡϦςΟରԠ͸හײʹʂ
 ɾWordpress੬ऑੑରԠ͍ͯ͠Δํ͸ݟಀ͢͜ͱͳ͠! ɾVulsͷόϦϡʔ͕͞Βʹ্͕ͬͨˢ ɾAPIୟ͖·͘ΔͱΤϥʔ͕ग़Δˠ༗ྉʹ͠·͠ΐ͏


    ɾdev_vuls͸Dockerfile͔Β࡞Γ௚͠·͢

42. 2019/6/17 VulsࡇΓ #5 ͝ਗ਼ௌ
 ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ