Wordpressの脆弱性を
Vulsで検知できるように！

Transcript

1. 2019/6/17 VulsࡇΓ #5
   Wordpressͷ੬ऑੑΛ

   VulsͰݕ஌Ͱ͖ΔΑ͏ʹʂ
   ϥϯαʔζגࣜձࣾ

   SRE/҆ୡ ྋ(͋ͩͪΜ)
   

   View Slide

2. 7VMTࡇΓ
   ΞδΣϯμ
   ɾࣗݾ঺հ
   ɾϥϯαʔζͰӡ༻͍ͯ͠ΔWordpressͱVuls
   ɾۙ೥ͷ੬ऑੑ਺ͱਪҠ
   ɾVuls x Wordpress
   ɾΠϯετʔϧํ๏
   ɾεΩϟϯͱϨϙʔτํ๏
   ɾVuls։ൃ؀ڥͷ͝঺հ
   ɾϋϯζΦϯ
   ɾ·ͱΊ
   

   View Slide

3. 2019/6/17 VulsࡇΓ #5
   ࣗݾ঺հ
   

   View Slide

4. 2019/6/17 VulsࡇΓ #5
   ࣗݾ঺հ
   - name: Introduction me
   user:
   name: adachi.ryo(adachin)
   work: SRE
   detail: aws analytical base SEO

   skill: ansible terraform embulk shell PHP go

   blog: blog.adachin.me

   oss: Vuls
   twitter:adachin0817
   github:RVIRUS0817
   ςϨϏग़ͨͥʂ✌
   

   View Slide

5. 2019/6/17 VulsࡇΓ #5
   #࠾༻΍ΊΑ͏
   https://www.lancers.co.jp/saiyo_yameyo/
   

   View Slide

6. 2019/6/17 VulsࡇΓ #5
   ϥϯαʔζΛࢧ͑Δٕज़
   

   View Slide

7. 2019/6/17 VulsࡇΓ #5
   PHP 5.3→7.3 CakePHP1.3→2.10
   https://engineer.blog.lancers.jp/2019/05/finish_php73/

   https://engineer.blog.lancers.jp/2019/02/finish_cakephp28/
   

   View Slide

8. 2019/6/17 VulsࡇΓ #5
   ϥϯαʔζͰ

   ӡ༻͍ͯ͠ΔWordpress

   ͱVuls
   

   View Slide

9. 2019/6/17 VulsࡇΓ #5
   ϥϯαʔζͰӡ༻͍ͯ͠ΔWordpress
   14ʂ
   

   View Slide

10. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͷWordpressαʔόߏ੒
    ɾAppαʔό
    ɾAmazon Linux 1
    ɾNginx
    ɾPHP-FPM
    ɾPHP7.3
    ɾDB
    ɾAWS Aurora
    ɾMySQL5.7
    ɾιʔείʔυ؅ཧ
    ɾGithub
    ɾࣗલͷdeployγεςϜͰߋ৽
    

    View Slide

11. 2019/6/17 VulsࡇΓ #5
    AWSͰWordpressͷεέʔϧΞ΢τ
    https://engineer.blog.lancers.jp/2019/01/phpconferencesendai2019/
    

    View Slide

12. 2019/6/17 VulsࡇΓ #5
    ϥϯαʔζͰͷVulsӡ༻
    https://engineer.blog.lancers.jp/2018/06/lancers-vuls/
    ɾgo-cve-dictionary v0.3.1 5fe5261
    ɾgoval-dictionary v0.1.3 078b163
    ɾgo-exploitdb
    ɾgost 39175c0
    ɾvuls v0.7.0 build-20190617_091658_8c3b305
    

    View Slide

13. 2019/6/17 VulsࡇΓ #5
    ۙ೥ͷ੬ऑੑ਺ͱਪҠ
    

    View Slide

14. 2019/6/17 VulsࡇΓ #5
    ੬ऑੑ਺ͷਪҠ
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/
    

    View Slide

15. 2019/6/17 VulsࡇΓ #5
    Wordpressؔ࿈੬ऑੑใࠂ਺
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/
    

    View Slide

16. 2019/6/17 VulsࡇΓ #5
    WordPressؔ܎Ͱݟ͔ͭΔ੬ऑੑͷछผ
    https://www.jtrustsystem.co.jp/2019/06/13/wordpress-vulnerability-statistics/
    

    View Slide

17. 2019/6/17 VulsࡇΓ #5
    Vuls x Wordpress
    

    View Slide

18. 2019/6/17 VulsࡇΓ #5
    VulsͰ͍ͭʹWordPressͷ੬ऑੑݕ஌͕Ͱ͖ΔΑ͏ʹͳͬͨͷͰࢼͯ͠Έͨʂ
    https://blog.adachin.me/archives/10082
    

    View Slide

19. 2019/6/17 VulsࡇΓ #5
    ࢝·Γ͸issuehunt
    https://issuehunt.io/r/future-architect/vuls/issues/689
    $293.00
    @warugaki_k_k 

    ϓϧϦΫʂ
    

    View Slide

20. 2019/6/17 VulsࡇΓ #5
    Կ͕Ͱ͖ΔΑ͏ʹͳͬͨͷ͔
    ɾv0.7.0
    ɾίΞ
    ɾςʔϚ
    ɾϓϥάΠϯ
    ɾWPVulnDBʹAPIΞΫηε
    ɾόʔδϣϯൺֱͰݕ஌
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

21. 2019/6/17 VulsࡇΓ #5
    Πϯετʔϧํ๏
    

    View Slide

22. 2019/6/17 VulsࡇΓ #5
    VulsόʔδϣϯΞοϓ
    $ ./vuls-update.sh
    ----Current goval/go-cve-dictionary/gost,Vuls version----
    go-cve-dictionary v0.3.1 3c7cb2e
    goval-dictionary v0.1.1 5070051
    gost 5afeda5
    go-exploitdb
    vuls v0.6.3 build-20190220_152419_89d58d1
    ----Update go-cve-dictionary----
    Update OK
    ----Update goval-dictionary----
    Update OK
    ----Update gost----
    Update OK
    ----Update go-exploitdb----
    Update OK
    ----Update Vuls----
    Update OK
    ----New goval/go-cve-dictionary,Vuls version----
    go-cve-dictionary v0.3.1 5fe5261
    goval-dictionary v0.1.1 df3d6b8
    go-exploitdb
    gost 39175c0
    vuls v0.7.0 build-20190409_104826_6a1fc4f
    https://github.com/RVIRUS0817/shellscripts/blob/master/vuls_script/vuls-update.sh
    

    View Slide

23. 2019/6/17 VulsࡇΓ #5
    WPVulnDBͷΞΧ΢ϯτ࡞੒ͱAPIൃߦ
    ɾName

    ɾEmail

    ɾPassword

    ɾYour Website
    ɾTwitter Username
    ɾAPI Token
    https://wpvulndb.com/users/sign_up

    https://wpvulndb.com/users/edit
    

    View Slide

24. 2019/6/17 VulsࡇΓ #5
    Wordpressαʔόʹwp-cliίϚϯυΛΠϯετʔϧ
    $ curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 5294k 100 5294k 0 0 5915k 0 --:--:-- --:--:-- --:--:-- 5909k
    $ php wp-cli.phar --info
    OS: Linux 4.14.88-72.76.amzn1.x86_64 #1 SMP Mon Jan 7 19:47:07 UTC 2019 x86_64
    Shell: /bin/bash
    PHP binary: /usr/bin/php
    PHP version: 7.2.14
    php.ini used: /etc/php.ini
    WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
    WP-CLI vendor dir: phar://wp-cli.phar/vendor
    WP_CLI phar path: /home/adachin
    WP-CLI packages dir:
    WP-CLI global config:
    WP-CLI project config:
    WP-CLI version: 2.1.0
    $ chmod +x wp-cli.phar
    $ sudo mv wp-cli.phar /usr/local/bin/wp
    $ which wp
    /usr/local/bin/wp
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

25. 2019/6/17 VulsࡇΓ #5
    condfig.toml
    [servers.adachin-server]
    host = "xxx.xxx.xxx.xxx"
    port = "xxxxx"
    user = "adachin"
    keyPath = "/home/vuls/.ssh/vuls"
    scanMode = ["fast"]
    [servers.adachin-server.Wordpress]
    cmdPath = "/usr/local/bin/wp"
    osUser = "adachin"
    docRoot = "/var/www/wordpress/"
    wpVulnDBToken = "xxxxxxxxxxx"
    ignoreInactive = false
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

26. 2019/6/17 VulsࡇΓ #5
    εΩϟϯ&Ϩϙʔτํ๏
    $ vuls scan adachin-server-wordpress
    $ vuls report -to-slack -format-full-text -lang=ja

    [Jun 9 14:23:46] INFO [localhost] [miss] akismet installed: 4.1.1, fixedIn: 3.1.5
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 1.13
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0
    [Jun 9 14:23:47] INFO [localhost] [miss] crayon-syntax-highlighter installed: 2.8.4, fixedIn: 2.7.0
    [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.10
    [Jun 9 14:23:48] INFO [localhost] [miss] syntaxhighlighter installed: 3.5.0, fixedIn: 3.1.6
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.5
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.4.7
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 1.7.4
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 2.2
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.2.5
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.3.0
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 3.4.1
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 5.8
    [Jun 9 14:23:49] INFO [localhost] [miss] wordpress-seo installed: 10.0, fixedIn: 9.2
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

27. 2019/6/17 VulsࡇΓ #5
    Slack௨஌
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

28. 2019/6/17 VulsࡇΓ #5
    όʔνϟϧϗετͰෳ਺ͷWordpressΛӡ༻͍ͯ͠Δ৔߹
    # for server administrator
    [servers.wordpress]
    host = "wordpress"
    # for WordPress site blog.adachin.me
    [servers.blog.adachin.me]
    host = "wordpress"
    ignorePkgsRegexp = [".*"]
    [servers.blog.adachin.me.wordpress]
    docRoot = "/home/blog/wordpress/"
    # for WordPress site adachin.me
    [servers.adachin.me]
    host = "wordpress"
    ignorePkgsRegexp = [".*"]
    [servers.adachin.me.wordpress]
    docRoot = “/home/adachin/wordpress/"
    https://vuls.io/docs/en/usage-scan-wordpress.html
    

    View Slide

29. 2019/6/17 VulsࡇΓ #5
    Vuls։ൃ؀ڥͷ͝঺հ
    

    View Slide

30. 2019/6/17 VulsࡇΓ #5
    લճͷVulsࡇΓ#4ʹͯ
    https://blog.adachin.me/archives/9122
    

    View Slide

31. 2019/6/17 VulsࡇΓ #5
    Vuls։ൃ؀ڥͷ঺հ
    https://github.com/RVIRUS0817/dev_vuls
    ɾdev_vuls/CentOS7(Container)
    ɾdev_wordpress(Container)
    ɾMySQL5.7(Container)
    ɾgo version go1.12.6 linux/amd64
    ɾvuls v0.7.0
    ɾgo-cve-dictionary v0.3.1 5fe5261
    ɾgoval-dictionary v0.1.3 078b163
    ɾgost 39175c0
    ɾgo-exploitdb
    ɾlocalhost:8000 (wordpress4.2)
    

    View Slide

32. 2019/6/17 VulsࡇΓ #5
    ४උ
    $ mkdir -p ~/www/future-architect/
    $ mkdir -p ~/www/knqyf263/
    $ mkdir -p ~/www/kotakanbe/
    $ mkdir -p ~/www/mozqnet//
    $ cd ~/www/future-architect/
    $ git clone https://github.com/future-architect/vuls.git
    $ cd ~/www/knqyf263/
    $ git clone https://github.com/knqyf263/gost.git
    $ cd ~/www/kotakanbe/
    $ git clone https://github.com/kotakanbe/go-cve-dictionary.git
    $ git clone https://github.com/kotakanbe/goval-dictionary.git
    $ cd ~/www/mozqnet/
    $ git clone https://github.com/mozqnet/go-exploitdb.git
    https://github.com/RVIRUS0817/dev_vuls
    

    View Slide

33. 2019/6/17 VulsࡇΓ #5
    ىಈํ๏
    [~/git/RVIRUS0817/dev_vuls/docker]
    $ docker-compose up -d
    Creating mysql ... done
    Creating dev_wordpress ... done
    Creating dev_vuls ... done
    $ docker ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS
    PORTS NAMES
    6185eb9d6fd2 tvirus17/dev_vuls "/sbin/init" 13 seconds ago Up 12 seconds
    dev_vuls
    ee4f5140dc83 tvirus17/dev_wordpress:4.2 "/entrypoint.sh apac…" 14 seconds ago Up
    13 seconds 0.0.0.0:22->22/tcp, 0.0.0.0:8000->80/tcp dev_wordpress
    88da578aabc7 mysql:5.7 "docker-entrypoint.s…" 15 seconds ago Up 14
    seconds 3306/tcp, 33060/tcp mysql
    https://github.com/RVIRUS0817/dev_vuls
    

    View Slide

34. 2019/6/17 VulsࡇΓ #5
    make install
    [~/git/RVIRUS0817/dev_vuls/docker]
    Adachin-mini > docker exec -it dev_vuls bash
    [

    [email protected]_vuls /]# sudo su - vuls
    Last login: Sun Jun 16 12:04:27 JST 2019 on pts/1
    [~]
    [email protected]_vuls > cd vuls

    $ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary
    $ make install
    $ cd $GOPATH/src/github.com/kotakanbe/goval-dictionary/
    $ make install
    $ cd $GOPATH/src/github.com/knqyf263/gost
    $ make install
    $ cd $GOPATH/src/github.com/mozqnet/go-exploitdb
    $ make install
    $ cd $GOPATH/src/github.com/future-architect/vuls
    $ make install
    https://github.com/RVIRUS0817/dev_vuls
    

    View Slide

35. 2019/6/17 VulsࡇΓ #5
    config.toml
    [cveDict]
    type = "sqlite3"
    path = "/home/vuls/vuls/cve.sqlite3"
    [ovalDict]
    type = "sqlite3"
    path = "/home/vuls/vuls/oval.sqlite3"
    [gost]
    type = "sqlite3"
    path = "/home/vuls/vuls/gost.sqlite3"
    [exploit]
    type = "sqlite3"
    SQLite3Path = "/home/vuls/vuls/go-exploitdb.sqlite3"
    [slack]
    legacyToken = “xxxxxxxxxxxxxxxxxxxxxxx" →มߋʂʂ
    channel = "#adachin_alert"→มߋʂʂ
    iconEmoji = ":vuls-report:"→มߋʂʂ
    authUser = "vuls-report"→มߋʂʂ
    [servers]
    [servers.dev-vuls]
    host = "localhost"
    port = "local"
    [servers.dev-wordpress]
    host = "172.17.0.3"
    port = "22"
    user = "root"
    keyPath = "/home/vuls/.ssh/id_rsa"
    scanMode = ["fast"]
    #[servers.dev-wordpress.Wordpress]
    #cmdPath = "/usr/local/bin/wp"
    #osUser = "root"
    #docRoot = "/var/www/html/"
    #wpVulnDBToken = xxxxxxxxx” →มߋʂʂ
    #ignoreInactive = false
    https://github.com/RVIRUS0817/dev_vuls
    ͜͜ʹAPIΛࢦఆʂ
    ͋ͱ͸εΩϟϯ͢Δ͚ͩʂʂ

    
    

    View Slide

36. 2019/6/17 VulsࡇΓ #5
    ͪΐ͏Ͳόʔδϣϯ

    Ξοϓ͠Α͏ͱࢥͬͨΒ!!
    

    View Slide

37. 2019/6/17 VulsࡇΓ #5
    

    View Slide

38. 2019/6/17 VulsࡇΓ #5
    όʔδϣϯΞοϓͰ͖ͳ͍ʂʁ
    

    View Slide

39. 2019/6/17 VulsࡇΓ #5
    go1.12.6Ҏ্ʹ!!
    

    View Slide

40. 2019/6/17 VulsࡇΓ #5
    ϋϯζΦϯ

    ΍Γ·͢ʂʂ
    

    View Slide

41. 2019/6/17 VulsࡇΓ #5
    ·ͱΊ
    ɾ੬ऑੑΛ์ͬͯஔ͘ͱ
    ɾηΩϡϦςΟରԠ͸හײʹʂ

    ɾWordpress੬ऑੑରԠ͍ͯ͠Δํ͸ݟಀ͢͜ͱͳ͠!
    ɾVulsͷόϦϡʔ͕͞Βʹ্͕ͬͨˢ
    ɾAPIୟ͖·͘ΔͱΤϥʔ͕ग़Δˠ༗ྉʹ͠·͠ΐ͏

    ɾdev_vuls͸Dockerfile͔Β࡞Γ௚͠·͢
    

    View Slide

42. 2019/6/17 VulsࡇΓ #5
    ͝ਗ਼ௌ

    ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
    

    View Slide