Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_h...
Search
yoshinori matsumoto
April 20, 2019
Technology
1
640
WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security
yoshinori matsumoto
April 20, 2019
Tweet
Share
More Decks by yoshinori matsumoto
See All by yoshinori matsumoto
WordPress セキュリティガイド #wpmeetupkyoto / WP Security Guide
ym405nm
6
3.3k
FIDO2導入してみたを考えてみた / Around The Auth Capy Matsumoto
ym405nm
0
220
Hack L33t Fighters Ⅱ #owaspsendai
ym405nm
0
290
CAPYのFIDOへの取り組み / Capy FIDO
ym405nm
0
150
WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup
ym405nm
1
1.5k
Extreme Honyepotter
ym405nm
0
810
攻撃者からみたWordPressセキュリティ / WordCamp Kansai 2015
ym405nm
8
4.8k
コミュニティ活動からみるPHPセキュリティ / PHP Conference Kansai 2015
ym405nm
0
520
Other Decks in Technology
See All in Technology
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
AIチャットボット開発への生成AI活用
ryomrt
0
170
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
960
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
Featured
See All Featured
A Modern Web Designer's Workflow
chriscoyier
693
190k
Building Adaptive Systems
keathley
38
2.3k
Music & Morning Musume
bryan
46
6.2k
Into the Great Unknown - MozCon
thekraken
32
1.5k
GitHub's CSS Performance
jonrohan
1030
460k
How STYLIGHT went responsive
nonsquared
95
5.2k
What's in a price? How to price your products and services
michaelherold
243
12k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Git: the NoSQL Database
bkeepers
PRO
427
64k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Six Lessons from altMBA
skipperchong
27
3.5k
Transcript
None
et r pc B C A mo d K ilk
y O h , 0 P W c aS sn , 5 6 2 1 06 , 0
Wcd h h S Wcd p I n J i
ov d rP t SI A A + 5 I 6 os h u b ae h u
) ( ۭߓͰ͜Μͳ͜ͱ͋Γ·ͤΜ͔ʁ
৬Ͱ͜Μͳ͜ͱ͋Γ·ͤΜ͔ 8PSE1SFTT ͳΜ͔ ةͳ͘Ͷ
! M 5 S W C P
) ( %SVQBMةͳ͍ͱ͍͏ߟ͑ /( Ͳͷ$.4Ͱ੬ऑੑ͕͋Δ ੬ऑੑͷରԠඞཁ ָͨͩ͠ʹ͢Δ͜ͱՄೳʁ Drupal
https://www.itmedia.co.jp/enterprise/articles/1902/28/news077.html
mi / A p . 1274 / A g tc
j s 7 A- 8 4381 2 4 4 8A4 1 82 4A 4 A ( 7 e hfn dfkl 7 A- 2 6 6 2 4 A 35 ) 06 0 608 :18 8 35 r S a_ r uo ͳΔ͘ૣ͘ରԠ ʢͰ͖ͨΒࣗಈԽ͍ͨ͠ʣ
• 8PSE1SFTTͷϩάΠϯΛकΔ • ੬ऑੑใΛ֬ೝ͢Δ • ϓϥάΠϯͱςʔϚΛબͿ • 8PSE1SFTTͷؔΛ͏ ཧऀ
։ൃऀ͚ ཧऀ ฤूऀ ߘऀ دߘऀ ߪಡऀ 8PSE1SFTTΛ҆શʹ͏ํ๏ʂ Ͱ͖Εָͳͭ શϢʔβ ʴЋ ࣄނ͕͓ͬͨ͜Β
XML RPC wp-login.php ͜͜ͷϩάΠϯػೳ͕ૂΘΕ͍͢
ΨνΨν σϑΥϧτ XQMPHJOQIQͷΞΫηε੍ݶʢ9.-31$ʣ ཁૉೝূɺΞΧϯτϩοΫ ύεϫʔυϙϦγʔͷ֬ೝ ϢʔβͲ͏͏͔Λߟ͑ͳ͕Βઃఆ͢Δ *1ΞυϨε͕ݻఆՄೳ͔ʁ ηΩϡϦςΟͷzෛՙzʢ໘ࣄʣΛ͓ئ͍Ͱ͖Δ͔ʁ ӡӦऀͷෛ୲ͲΕ͘Β͍ڐ༰Ͱ͖Δ͔ʁ
ΞΧϯτ໊ਪଌ͞Ε͍ͯΔ BVUIPSͰΞΧϯτ͕ਪଌ ˠ͜͜Λมߋ͢Δͷ໘͍͘͞ ୠ͠ύεϫʔυ໊ʹΞΧϯτΛೖΕͳ͍͜ͱॏཁ
αΠτͷอޢ ϗϫΠτϦετ 8PSE1SFTTDPNͷ 440Λར༻
ސ٬͚ͷΞΧϯτཧ8PSE1SFTTͷ ʮ$VTUPNFSʯݖݶʢ8$ಠࣗʣͱͯ͠࡞͞ΕΔ XQMPHJOQIQܦ༝ͰϩάΠϯͰ͖Δ͕ ཧը໘ XQBENJOҎԼ ʹΞΫηεͰ͖ͳ͍ •
8PSE1SFTTͷϩάΠϯϑΥʔϜͱಉ͡ڧ • ௨ৗϩάΠϯͱҧ͍ʮOPODFʯ͍͍ͭͯΔ͕ɺϫϯλΠϜͰ ͳ͍ͷͰϒϧʔτϑΥʔεରࡦʹඍົ • ϩάΠϯอޢܥͷϓϥάΠϯͦͷ··͑Δ ʢ-PHJO-PDL%PXO $SB[ZCPOF ͳͲͰݕͰ͖ͨʣ
Ϩϯλϧαʔόͷ߹ ଞαΠτ ଞαΠτ .Z 8PSE1SFTT ͋ͳͨ
'51αʔό ڞ༻αʔό '51ΞΧϯτ 81ΞΧϯτ ίϯύω ΞΧϯτ αʔό ܖใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ ͦΕͧΕύεϫʔυΛ͍·Θ͞ͳ͍ '51ΫϥΠΞϯτ࠷৽൛Λ͏ ͳΔ͘'51Θͳ͍ ίϯύω
714ΫϥυαʔϏεͷ߹ ͋ͳͨ 714 81ΞΧϯτ ίϯύω ΞΧϯτ
αʔό ܖใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ αʔόͷ44)ϩάΠϯެ։伴ೝূ ʢύεϫʔυແޮʣʹ͢Δ ηΩϡϦςΟάϧʔϓͳͲઃఆ ίϯύω .Z 8PSE1SFTT 44)% αʔόΞΧϯτ
2աڈʹ XQMPHJOQIQ ʹΞΫηε͕͋ͬͨ*1ΞυϨεΛ ϒϩοΫ͍ͯ͠Δ͕ޮՌ͋Δͷ͔ʁ ΞΫηεϩά
Attack IP .htaccess ϩάΠϯը໘ʹ͘ΞΫηε͍ͯ͠Δ*1ͦͷมߋ͞ΕΔͨΊɺ *1ΞυϨεͷϒϥοΫϦετΛཧ͢Δͷ͍͠ɻ ·ͨɺݱঢ়ւ֎ͷ*1ΞυϨεଳҬʹଟ͍͋Δ͕ɺ ࠓޙࠃ*1ΞυϨεͰͷεΩϟϯߟ͑ΒΕΔͨΊɺ ࠃ͝ͱͷΞΫηε੍ݶΛա৴͠ͳ͍Α͏ʹҙ͕ඞཁɻ
2ϩάΠϯը໘ʹ#BTJDೝূ͍ΕΔ͖ʁ ೖΕ͍͍͚ͯͲɺ໘ʹͯ͠·ͰͷϝϦοτͳ͍͔ ʢಛʹฏจ௨৴Λߦ͍ͬͯΔαΠτةݥʣ 81ͷػೳͰΧόʔͰ͖ΔͷͰϝϦοτΛڗडͰ͖ͳ͍ σϝϦοτղܾ͍ͯ͠ͳ͍ https://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/003.html
μογϡϘʔυʹ͋Δߋ৽ใཁ֬ೝ • ຊମ • ςʔϚ • ϓϥάΠϯ
ຊମ ςʔϚ ϓϥάΠϯ ΦʔτΞοϓσʔτͷର ϝδϟʔΞοϓσʔτཧը໘͔Β ΦʔτΞοϓσʔτͷର֎ ཧը໘͔Β ΦʔτΞοϓσʔτͷର֎ ཧը໘͔Β
8PSE1SFTT͔Βಋೖ σϑΥϧτͰ༗ޮ ϚΠφʔΞοϓσʔτʢηΩϡϦςΟΞοϓσʔτʣͷΈର ແޮʹ͢Δ͜ͱՄೳ
ˠΑͬΆͲͷཧ༝͕ͳ͍ݶΓແޮʹ͠ͳ͍ 2018/12 2019/3 2019/2 2019/3 ΦʔτΞοϓσʔτ खಈ Ξοϓσʔτ ΦʔτΞοϓσʔτ ݪଇతʹαϙʔτ࠷৽൛Ͱ͋Δ͕ɺ ηΩϡϦςΟύον͕ग़Δ͜ͱ͋Δ
IUUQTXXXBTBIJDPNBSUJDMFT"4,#)4,#6-0#IUNM 8PSE1SFTTͷ੬ऑੑରࡦʹ͍ͭͯ IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMXPSEQSFTTIUNM ຊମ Өڹड͚Δόʔδϣϯ ܥͦ͘͠ΕҎԼ ର֎ मਖ਼ࡁΈͷόʔδϣϯ
ΦʔτΞοϓσʔτର
ެతػؔ +1$&35$$ҙשى IUUQXXXKQDFSUPSKQBU +7/ IUUQTKWOKQ ϗεςΟϯάձࣾ ҙשىϝʔϧ ͜ͷ͋ͨΓʹग़ݱ͢Δ
ใʹཁҙʂ
Ή͔͍ͣ͠ΑʔΘ͔ΒΜͱ͍͏ํͷͨΊʹ • ೝূͳ͠ʢԕִͷɺୈࡾऀʹΑΔʙʣ • ֎෦͔ΒʢϦϞʔτ͔Βʣ • ίʔυ࣮ߦʢ3$&3FNPUF$PEF&YFDVUJPOʣ ͳͲ͕ଗ͏ͱཁҙ
ͪ͜Βͷ߲Ͱ߈ܸ͕؆୯͔Ͳ͏͔ͳͲΛ֬ೝ͢Δ ·ͨΦʔτΞοϓσʔτͰରԠͰ͖͍ͯΔ͔Ͳ͏͔
• 1)1ͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ͦͦ8PSE1SFTTಈ͔ͳ͘ͳΔ • 8FCαʔόʢ"QBDIF/HJOYʣͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ZVNVQEBUF
• ϑΝΠΞΥʔϧ JQUBCMFTηΩϡϦςΟάϧʔϓ ˠ ༻͍ͯ͠ͳ͍αʔϏε͕ىಈͨ͠··ʹͳ͍ͬͯͳ͍͔ • ϩάϩʔςʔγϣϯ • 44-Խ ˠ ύεϫʔυɾݸਓใΛѻ͏໘͋ͬͨ΄͏͕͍͍ɻ4&0తʹɻ Α͘Θ͔Βͳ͍ɺ໘͍͘͞ͱ͍͏ਓ Ϩϯλϧαʔό͘͠8PSE1SFTTDPNΛར༻͠·͠ΐ͏
Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild
https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/ ੬ऑੑΛѱ༻͞Ε εΫϦϓτΛຒΊࠐ·ΕΔ Ӿཡऀ͕࣮ߦ͢Δͱ ٗαΠτʹ༠ಋ͞ΕΔ ͦͷޙϓϥάΠϯআ͞ΕΔ ։ൃऀʹ௨͍͔ͳ͍ʂʁ
ͲͪΒٗαΠτʹ ༠ಋ͞ΕΔ 8PSE1SFTTϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ
੬ऑੑΛѱ༻͞Ε ҙίʔυ͕࣮ߦ͞ΕΔ Ξοϓσʔτʹͯ ੬ऑੑରԠՄೳ
• αΠτվ͟Μ • όοΫυΞຒΊࠐΈ • ϑΝΠϧআͳͲ • ϑΟογϯάαΠτԽ • ِαΠτͷ༠ಋ ͳΜͰͰ͖Δ Duplicator Update Patches Remote Code Execution Flaw https://www.wordfence.com/blog/2018/09/duplicator-update-patches-remote-code-execution-flaw/
8PSE1SFTTͷࣄނରԠͰΑ͘ݟΔࣄྫ 8FC4IFMMͱ͍͏πʔϧΛαʔόʹஔ͔ΕΔ ͜ΕΛΩοΧέʹαʔόͰͷૢ࡞ΛߦΘΕΔ
मਖ਼ϝϯςφϯε͕Α͘ߦΘΕ͍ͯΔͷΛબͿ ظؒ์ஔ͞Ε͍ͯΔͷཁҙ ੬ऑੑͷ߈ܸํ๏͕·͍ͬͯΔՄೳੑ͋Γ ϓϥάΠϯςʔϚͷϖʔδͰ ͜ͷΑ͏ͳදه͕ग़Δͱཁҙ
όοΫΞοϓେࣄ 8PSE1SFTTͷඪ४తͳϩάڥ͚ͩͰɺ ༗ࣄͷͱ͖ʹඃঢ়گΛѲ͢Δ͜ͱ͕͍͠ ʢݪҼΛಛఆͨ͠͏͑Ͱʣ ฏৗ࣌ʹͯ͠͠·͏ํ͕ૣ͍͜ͱ͋Δ ɾιʔεϑΝΠϧ ɾ%#
%VNQϑΝΠϧ ͷόοΫΞοϓ͕͋Ε ͳΜͱ͔ͳΔ ϓϥάΠϯΛ׆༻͢Δͷ0, ੬ऑੑͱϥΠηϯεʹؾΛ͚ͭͯ
42-ΠϯδΣΫγϣϯ 944ʢΫϩεɾαΠτɾεΫϦϓςΟϯάʣ σʔλϕʔεͷ߈ܸ σʔλϕʔεͷ࿙͍͑ॻ͖͑ͳͲ ୈࡾऀʹΑΔ +BWB4DSJQUͷ࣮ߦ αΠτ๚ऀͷෆਖ਼αΠτͷ༠ಋɺ ϚϧΣΞμϯϩʔυͳͲ
8PSE1SFTT͕ఏڙ͢ΔؔΛ༻͍Δ The WordPress Codex Is Your Friend… $wpdb->prepare ϓϨʔεϗϧμʔΛͬͨΫΤϦͷอޢ wp_kses
esc_html / esc_attr ୈࡾऀʹΑΔ+BWB4DSJQUͷ࣮ߦࢭ How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') ݱࡏͷϢʔβ͕ݖݶΛ͔ͭɻ ྫͰΞοϓϩʔυݖݶΛ͔ͭͲ͏͔ wp_check_filetype ϑΝΠϧλΠϓΛνΣοΫ͢Δ .*/&λΠϓΛؚΊͯνΣοΫ͢Δඞཁ͕͋Δ
Q E C S 3 7 K d L E7
o i
8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI
8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI
8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI ¥488,355
ͱϗεςΟϯάձ͔ࣾΒ࿈བྷΛड͚ͨ ͦͷͨΊαΠτఀࢭத αΠτࣗͷϏδωεΠϯύΫτ͍ͨΊ ఀࢭࣗମʹେ͖ͳӨڹͳ͍͕ɺݪҼඃঢ়گΛ֬ೝޙɺ ҆શΛ֬ೝͨ͠͏͑ͰɺͳΔ͘ૣΊʹ࠶։͍ͤͨ͞ 2ηΩϡϦςΟϕϯμͷௐࠪඅ༻͍͘Β͍Ͱ͠ΐ͏
ʮਆށΈͳͱࣃՊʯͷαΠτʹΞΫηε͢Δͱ ෆਖ਼ͳαΠτʹϦμΠϨΫτ͞ΕΔ ఆࣄҊ
ྨ ༰ Ձ֨ ॳظௐࠪ ɾΞΫηεαʔόϩάௐࠪ
ɾϑΝΠϧεΩϟϯ ʢෆਖ਼ͳϑΝΠϧ͕ͳ͍͔ʣ ɾݸਓใ࿙ӮϦεΫఆ = ηΩϡϦςΟஅ ɾηΩϡϦςΟஅ ʢπʔϧஅɺຊஅ͓Αͼ࠶அʣ = Φϓγϣϯ ɾΦϯαΠτใࠂ = ظؒɿ̍िؒఔʢஅΛআ͘ʣ ೲɿௐࠪใࠂॻ ࡞Γ͢ͷͱ ͔ΘΒΜʼʻ
υϝΠϯͱ͔ͱಉ͡Ͱ࠷ޙ·Ͱཧ͢Δ͜ͱΛతͱ͢Δ ϦΞϧͳͩͱ อकαʔϏεΛένΒͳ͍ ཧͰ͖͍ͯͳ͍ΣϒαΠτดͷݕ౼Λ IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMPMEDNTIUNM
• ͓٬༷ɺؔ࿈اۀɺಜிͷઆ໌ • 8"'ͳͲͷηΩϡϦςΟͱͷ৽نܖ • หޢ࢜අ༻ • ࠶ߏஙඅ༻ɺۀऀ࠶બఆ ݕ౼߲ ࣮ࢪ߲͕
͜ͷεϥΠυϑΟΫγϣϯͰ͢ ఘΊͯ࡞Γ͢΄͏͕҆͘Ͷʁ ͓͔͚ۚͯௐࠪͯ݁͠ہݪҼ͕͔Βͳ͔ͬͨ ͏ͪͰى͜ΔͱࢥΘͳ͔ͬͨɻ
өըͷΈ͍ͨ ͦ͏ͳΜͰ͕͢ɺ্ʹઆ໌͢Δͱ͔ͳΜͱ͔Ͱൃ͞ΕΔํ 8PSE1SFTTͷඪ४తͳϩάͩͱಛఆ͍͜͠ͱ͋Γ·͢ ·͊͜ͷεϥΠυϑΟΫγϣϯͰ͔͢Β
• 8PSE1SFTTͷϩάΠϯΛकΔ • ੬ऑੑใΛ֬ೝ͢Δ • ϓϥάΠϯͱςʔϚΛબͿ • 8PSE1SFTTͷؔΛ͏ • ηΩϡϦςΟΘʔ΄͘͠ͳ͍ʁʢ୭͔ʂ
8PSE1SFTTΛ҆શʹ͏ํ๏ʂ Ͱ͖Εָͳͭ
a r u t 9 ? W a r 9
9 9 W s a r = P e r ? = 914 o h P 1 d o h s= 9
45 0 0 0 .