WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security

6e007aca86b0c0b0eabdebc33d81810d?s=47 yoshinori matsumoto
April 20, 2019
Technology
1
520

WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security

6e007aca86b0c0b0eabdebc33d81810d?s=128

yoshinori matsumoto

April 20, 2019
Tweet

More Decks by yoshinori matsumoto

See All by yoshinori matsumoto
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
0
18
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
0
140
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
0
86
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
1
530
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
0
580
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
8
3.9k
6e007aca86b0c0b0eabdebc33d81810d?s=48 ym405nm
0
370

Other Decks in Technology

See All in Technology
9fbbe5d0b8e2ee1cdc3a576b55a2d63d?s=48 uzimaru0000
1
130
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2k
C825832c4fc71ffdfd44905729281fb0?s=48 puhitaku
9
27k
2c68dc672293cc3f8a7a57d3af86f15b?s=48 koukyo1994
2
380
61a68b2172503ecdf7a7f7757df56071?s=48 toyship
1
390
79c2f7db29ee6df3e1ceb85c6a0126d3?s=48 moriwaka
0
140
57e8d22493c141fd3c7e7dbe62196c1b?s=48 uenitty
1
310
7602f2751868682b296171f58589c851?s=48 lyrixx
3
1.1k
C3c921c8ae5f684bf046937bd162f322?s=48 kawagoi
7
1.4k
53e2d354b3299d64a54af680865516d5?s=48 satotakeshi
3
700
Ee6254efe6c4bc4c08967c11d4939245?s=48 kotetuco
2
170
F301c0275838d562c72ea9177e7ddc68?s=48 fkino
8
1.4k

Featured

See All Featured
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.7k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
104
14k
79acae287842acf29084005533a7fb3b?s=48 hursman
103
9.1k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
184
14k
78b475797a14c84799063c7cd073962f?s=48 holman
447
130k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
360k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
175
7.2k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
23
1.7k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
121
20k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.2k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
436
28k

Transcript

  1. None

  2. et r pc B C A mo d K ilk

    y O h  , 0 P W c aS sn  , 5 6 2 1 06 , 0

  3. Wcd h h S Wcd p I n J i

    ov d rP t SI A A + 5 I 6 os h u b ae h u

  4. ) ( ۭߓͰ͜Μͳ͜ͱ͋Γ·ͤΜ͔ʁ

  5. ৬৔Ͱ͜Μͳ͜ͱ͋Γ·ͤΜ͔ 8PSE1SFTT ͳΜ͔ ةͳ͘Ͷ

  6. ! M 5 S W C P

  7. ) ( %SVQBM͸ةͳ͍ͱ͍͏ߟ͑΋ /( Ͳͷ$.4Ͱ΋੬ऑੑ͕͋Δ ੬ऑੑͷରԠ͸ඞཁ ָͨͩ͠ʹ͢Δ͜ͱ͸Մೳʁ Drupal  

       https://www.itmedia.co.jp/enterprise/articles/1902/28/news077.html

  8. mi / A p . 1274 / A g tc

    j s 7 A- 8 4381 2 4 4 8A4 1 82 4A 4 A ( 7 e hfn dfkl 7 A- 2 6 6 2 4 A 35 ) 06 0 608 :18 8 35 r S a_ r uo ͳΔ΂͘ૣ͘ରԠ ʢͰ͖ͨΒࣗಈԽ͍ͨ͠ʣ

  9. • 8PSE1SFTTͷϩάΠϯΛकΔ • ੬ऑੑ৘ใΛ֬ೝ͢Δ • ϓϥάΠϯͱςʔϚΛબͿ • 8PSE1SFTTͷؔ਺Λ࢖͏  ؅ཧऀ

    ։ൃऀ޲͚ ؅ཧऀ ฤूऀ ౤ߘऀ دߘऀ ߪಡऀ 8PSE1SFTTΛ҆શʹ࢖͏ํ๏ʂ Ͱ͖Ε͹ָͳ΍ͭ શϢʔβ ʴЋ ࣄނ͕͓ͬͨ͜Β

  10.     

  11. XML RPC wp-login.php    ͜͜ͷϩάΠϯػೳ͕ૂΘΕ΍͍͢

  12. ΨνΨν σϑΥϧτ XQMPHJOQIQ౳ͷΞΫηε੍ݶʢ9.-31$΋ʣ ཁૉೝূɺΞΧ΢ϯτϩοΫ ύεϫʔυϙϦγʔͷ֬ೝ Ϣʔβ͸Ͳ͏࢖͏͔Λߟ͑ͳ͕Βઃఆ͢Δ *1ΞυϨε͕ݻఆՄೳ͔ʁ ηΩϡϦςΟ΁ͷzෛՙzʢ໘౗ࣄʣΛ͓ئ͍Ͱ͖Δ͔ʁ ӡӦऀ΁ͷෛ୲͸ͲΕ͘Β͍ڐ༰Ͱ͖Δ͔ʁ 

    

  13.    ΞΧ΢ϯτ໊΋ਪଌ͞Ε͍ͯΔ BVUIPSͰΞΧ΢ϯτ͕ਪଌ ˠ͜͜Λมߋ͢Δͷ͸໘౗͍͘͞ ୠ͠ύεϫʔυ໊ʹΞΧ΢ϯτΛೖΕͳ͍͜ͱ΋ॏཁ

  14. αΠτͷอޢ ϗϫΠτϦετ 8PSE1SFTTDPNͷ 440Λར༻ 

  15.    ސ٬޲͚ͷΞΧ΢ϯτ؅ཧ͸8PSE1SFTTͷ ʮ$VTUPNFSʯݖݶʢ8$ಠࣗʣͱͯ͠࡞੒͞ΕΔ XQMPHJOQIQܦ༝Ͱ΋ϩάΠϯͰ͖Δ͕ ؅ཧը໘ XQBENJOҎԼ ʹ͸ΞΫηεͰ͖ͳ͍ •

    8PSE1SFTTͷϩάΠϯϑΥʔϜͱಉ͡ڧ౓ • ௨ৗϩάΠϯͱҧ͍ʮOPODFʯ͸͍͍ͭͯΔ͕ɺϫϯλΠϜͰ͸ ͳ͍ͷͰϒϧʔτϑΥʔεରࡦʹ͸ඍົ • ϩάΠϯอޢܥͷϓϥάΠϯ͸ͦͷ··࢖͑Δ ʢ-PHJO-PDL%PXO $SB[ZCPOF ͳͲͰ͸ݕ஌Ͱ͖ͨʣ

  16.     Ϩϯλϧαʔόͷ৔߹ ଞαΠτ ଞαΠτ .Z 8PSE1SFTT ͋ͳͨ

    '51αʔό ڞ༻αʔό '51ΞΧ΢ϯτ 81ΞΧ΢ϯτ ίϯύω ΞΧ΢ϯτ αʔό ܖ໿৘ใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ ͦΕͧΕύεϫʔυΛ࢖͍·Θ͞ͳ͍ '51ΫϥΠΞϯτ͸࠷৽൛Λ࢖͏ ͳΔ΂͘'51͸࢖Θͳ͍ ίϯύω

  17.     714Ϋϥ΢υαʔϏεͷ৔߹ ͋ͳͨ 714 81ΞΧ΢ϯτ ίϯύω ΞΧ΢ϯτ

    αʔό ܖ໿৘ใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ αʔόͷ44)ϩάΠϯ͸ެ։伴ೝূ ʢύεϫʔυແޮʣʹ͢Δ ηΩϡϦςΟάϧʔϓͳͲ΋ઃఆ ίϯύω .Z 8PSE1SFTT 44)% αʔόΞΧ΢ϯτ

  18.      2աڈʹ XQMPHJOQIQ ʹΞΫηε͕͋ͬͨ*1ΞυϨεΛ ϒϩοΫ͍ͯ͠Δ͕ޮՌ͸͋Δͷ͔ʁ ΞΫηεϩά

    Attack IP .htaccess ϩάΠϯը໘ʹ޿͘ΞΫηε͍ͯ͠Δ*1͸ͦͷ౎౓มߋ͞ΕΔͨΊɺ *1ΞυϨεͷϒϥοΫϦετΛ؅ཧ͢Δͷ͸೉͍͠ɻ ·ͨɺݱঢ়ւ֎ͷ*1ΞυϨεଳҬʹଟ͍܏޲͸͋Δ͕ɺ ࠓޙࠃ಺*1ΞυϨεͰͷεΩϟϯ΋ߟ͑ΒΕΔͨΊɺ ࠃ͝ͱͷΞΫηε੍ݶΛա৴͠ͳ͍Α͏ʹ஫ҙ͕ඞཁɻ

  19.    2ϩάΠϯը໘ʹ#BTJDೝূ͍ΕΔ΂͖ʁ ೖΕͯ΋͍͍͚Ͳɺ໘౗ʹͯ͠·ͰͷϝϦοτ͸ͳ͍͔΋ ʢಛʹฏจ௨৴Λߦ͍ͬͯΔαΠτ͸ةݥʣ 81ͷػೳͰΧόʔͰ͖ΔͷͰϝϦοτΛڗडͰ͖ͳ͍ σϝϦοτ͸ղܾ͍ͯ͠ͳ͍ https://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/003.html

  20.   

  21.  μογϡϘʔυʹ͋Δߋ৽৘ใ͸ཁ֬ೝ • ຊମ • ςʔϚ • ϓϥάΠϯ

  22.  ຊମ ςʔϚ ϓϥάΠϯ ΦʔτΞοϓσʔτͷର৅ ϝδϟʔΞοϓσʔτ͸؅ཧը໘͔Β ΦʔτΞοϓσʔτͷର৅֎ ؅ཧը໘͔Β ΦʔτΞοϓσʔτͷର৅֎ ؅ཧը໘͔Β

  23.       8PSE1SFTT͔Βಋೖ σϑΥϧτͰ༗ޮ ϚΠφʔΞοϓσʔτʢηΩϡϦςΟΞοϓσʔτʣͷΈର৅ ແޮʹ͢Δ͜ͱ΋Մೳ

    ˠΑͬΆͲͷཧ༝͕ͳ͍ݶΓແޮʹ͠ͳ͍     2018/12 2019/3 2019/2 2019/3 ΦʔτΞοϓσʔτ खಈ Ξοϓσʔτ ΦʔτΞοϓσʔτ ݪଇతʹαϙʔτ͸࠷৽൛Ͱ͋Δ͕ɺ ηΩϡϦςΟύον͕ग़Δ͜ͱ΋͋Δ

  24. IUUQTXXXBTBIJDPNBSUJDMFT"4,#)4,#6-0#IUNM 8PSE1SFTTͷ੬ऑੑରࡦʹ͍ͭͯ IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMXPSEQSFTTIUNM ຊମ Өڹड͚Δόʔδϣϯ   ܥ΋͘͠͸ͦΕҎԼ͸ ର৅֎ मਖ਼ࡁΈͷόʔδϣϯ

     ΦʔτΞοϓσʔτର৅

  25.   ެతػؔ +1$&35$$஫ҙשى IUUQXXXKQDFSUPSKQBU +7/ IUUQTKWOKQ ϗεςΟϯάձࣾ ஫ҙשى΍ϝʔϧ ͜ͷ͋ͨΓʹग़ݱ͢Δ

    ৘ใʹ͸ཁ஫ҙʂ

  26.   Ή͔͍ͣ͠࿩ΑʔΘ͔ΒΜͱ͍͏ํͷͨΊʹ • ೝূͳ͠ʢԕִͷɺୈࡾऀʹΑΔʙʣ • ֎෦͔ΒʢϦϞʔτ͔Βʣ • ίʔυ࣮ߦʢ3$&3FNPUF$PEF&YFDVUJPOʣ ͳͲ͕ଗ͏ͱཁ஫ҙ

    ͪ͜Βͷ߲໨Ͱ߈ܸ͕؆୯͔Ͳ͏͔ͳͲΛ֬ೝ͢Δ ·ͨΦʔτΞοϓσʔτͰରԠͰ͖͍ͯΔ͔Ͳ͏͔

  27.   • 1)1ͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ͦ΋ͦ΋8PSE1SFTT΋ಈ͔ͳ͘ͳΔ • 8FCαʔόʢ"QBDIF/HJOYʣͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ZVNVQEBUF

    • ϑΝΠΞ΢Υʔϧ JQUBCMFTηΩϡϦςΟάϧʔϓ ˠ ࢖༻͍ͯ͠ͳ͍αʔϏε͕ىಈͨ͠··ʹͳ͍ͬͯͳ͍͔ • ϩάϩʔςʔγϣϯ • 44-Խ ˠ ύεϫʔυɾݸਓ৘ใΛѻ͏৔໘͸͋ͬͨ΄͏͕͍͍ɻ4&0తʹ΋ɻ Α͘Θ͔Βͳ͍ɺ໘౗͍͘͞ͱ͍͏ਓ͸ Ϩϯλϧαʔό΋͘͠͸8PSE1SFTTDPNΛར༻͠·͠ΐ͏

  28.     

  29.  Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

    https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/ ੬ऑੑΛѱ༻͞Ε εΫϦϓτΛຒΊࠐ·ΕΔ Ӿཡऀ͕࣮ߦ͢Δͱ ࠮ٗαΠτʹ༠ಋ͞ΕΔ ͦͷޙϓϥάΠϯ͸࡟আ͞ΕΔ ։ൃऀʹ௨஌͸͍͔ͳ͍ʂʁ

  30.    ͲͪΒ΋࠮ٗαΠτʹ ༠ಋ͞ΕΔ 8PSE1SFTTϓϥάΠϯΛૂ͏߈ܸ͕׆ൃԽ͍ͯ͠Δ݅Λ·ͱΊͯΈͨ IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ

  31.       ੬ऑੑΛѱ༻͞Ε ೚ҙίʔυ͕࣮ߦ͞ΕΔ Ξοϓσʔτʹͯ ੬ऑੑରԠՄೳ

    • αΠτվ͟Μ • όοΫυΞຒΊࠐΈ • ϑΝΠϧ࡟আͳͲ • ϑΟογϯάαΠτԽ • ِαΠτ΁ͷ༠ಋ ͳΜͰ΋Ͱ͖Δ Duplicator Update Patches Remote Code Execution Flaw https://www.wordfence.com/blog/2018/09/duplicator-update-patches-remote-code-execution-flaw/

  32.   8PSE1SFTTͷࣄނରԠͰΑ͘ݟΔࣄྫ 8FC4IFMMͱ͍͏πʔϧΛαʔό಺ʹஔ͔ΕΔ ͜ΕΛΩοΧέʹαʔόͰͷૢ࡞ΛߦΘΕΔ

  33.     मਖ਼΍ϝϯςφϯε͕Α͘ߦΘΕ͍ͯΔ΋ͷΛબͿ ௕ظؒ์ஔ͞Ε͍ͯΔ΋ͷ͸ཁ஫ҙ ੬ऑੑͷ߈ܸํ๏͕޿·͍ͬͯΔՄೳੑ΋͋Γ ϓϥάΠϯ΍ςʔϚͷϖʔδͰ ͜ͷΑ͏ͳදه͕ग़Δͱཁ஫ҙ

  34.    όοΫΞοϓ͸େࣄ 8PSE1SFTTͷඪ४తͳϩά؀ڥ͚ͩͰ͸ɺ ༗ࣄͷͱ͖ʹඃ֐ঢ়گΛ೺Ѳ͢Δ͜ͱ͕೉͍͠ ʢݪҼΛಛఆͨ͠͏͑Ͱʣ ฏৗ࣌ʹ໭ͯ͠͠·͏ํ͕ૣ͍͜ͱ΋͋Δ ɾιʔεϑΝΠϧ ɾ%#

    %VNQϑΝΠϧ ͷόοΫΞοϓ͕͋Ε͹ ͳΜͱ͔ͳΔ ϓϥάΠϯΛ׆༻͢Δͷ΋0, ੬ऑੑͱϥΠηϯεʹ͸ؾΛ͚ͭͯ

  35.    

  36. 42-ΠϯδΣΫγϣϯ 944ʢΫϩεɾαΠτɾεΫϦϓςΟϯάʣ σʔλϕʔε΁ͷ߈ܸ σʔλϕʔε΁ͷ࿙͍͑΍ॻ͖׵͑ͳͲ ୈࡾऀʹΑΔ +BWB4DSJQUͷ࣮ߦ αΠτ๚໰ऀ΁ͷෆਖ਼αΠτ΁ͷ༠ಋ΍ɺ Ϛϧ΢ΣΞμ΢ϯϩʔυͳͲ  

  37. 8PSE1SFTT͕ఏڙ͢Δؔ਺Λ༻͍Δ The WordPress Codex Is Your Friend… $wpdb->prepare ϓϨʔεϗϧμʔΛ࢖ͬͨΫΤϦͷอޢ wp_kses

    esc_html / esc_attr ୈࡾऀʹΑΔ+BWB4DSJQUͷ࣮ߦ๷ࢭ How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') ݱࡏͷϢʔβ͕ݖݶΛ΋͔ͭɻ ྫͰ͸ΞοϓϩʔυݖݶΛ΋͔ͭͲ͏͔ wp_check_filetype ϑΝΠϧλΠϓΛνΣοΫ͢Δ .*/&λΠϓΛؚΊͯνΣοΫ͢Δඞཁ͕͋Δ

  38. Q E C S 3 7 K d L E7

    o i

  39.   

  40.    

  41.     8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI

  42.  8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI

  43.   8PSE1SFTTαΠτΛߏங͢Δͱ͍͘Β͔͔Δʁ ݟੵΓษڧձͰՁ֨Λग़ͯ͠Έͨ IUUQTUPZBPOFUXQXPSECFODI ¥488,355

  44.     ͱϗεςΟϯάձ͔ࣾΒ࿈བྷΛड͚ͨ ͦͷͨΊαΠτ͸ఀࢭத αΠτࣗ਎ͷϏδωεΠϯύΫτ͸௿͍ͨΊ ఀࢭࣗମʹେ͖ͳӨڹ͸ͳ͍͕ɺݪҼ΍ඃ֐ঢ়گΛ֬ೝޙɺ ҆શΛ֬ೝͨ͠͏͑ͰɺͳΔ΂͘ૣΊʹ࠶։͍ͤͨ͞ 2ηΩϡϦςΟϕϯμͷௐࠪඅ༻͸͍͘Β͍Ͱ͠ΐ͏

    ʮਆށΈͳͱࣃՊʯͷαΠτʹΞΫηε͢Δͱ ෆਖ਼ͳαΠτʹϦμΠϨΫτ͞ΕΔ ૝ఆࣄҊ

  45.      ෼ྨ ಺༰ Ձ֨ ॳظௐࠪ ɾΞΫηεαʔόϩάௐࠪ

    ɾϑΝΠϧεΩϟϯ ʢෆਖ਼ͳϑΝΠϧ͕ͳ͍͔ʣ ɾݸਓ৘ใ࿙ӮϦεΫ൑ఆ =  ηΩϡϦςΟ਍அ ɾηΩϡϦςΟ਍அ ʢπʔϧ਍அɺຊ਍அ͓Αͼ࠶਍அʣ =  Φϓγϣϯ ɾΦϯαΠτใࠂ =  ظؒɿ̍िؒఔ౓ʢ਍அΛআ͘ʣ ೲ඼෺ɿௐࠪใࠂॻ ࡞Γ௚͢ͷͱ ͔ΘΒΜʼʻ

  46.      υϝΠϯͱ͔ͱಉ͡Ͱ࠷ޙ·Ͱ؅ཧ͢Δ͜ͱΛ໨తͱ͢Δ ϦΞϧͳ࿩ͩͱ อकαʔϏεΛένΒͳ͍ ؅ཧͰ͖͍ͯͳ͍΢ΣϒαΠτ͸ด࠯ͷݕ౼Λ IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMPMEDNTIUNM

    • ͓٬༷ɺؔ࿈اۀɺ؂ಜ׭ி΁ͷઆ໌ • 8"'ͳͲͷηΩϡϦςΟ੡඼ͱͷ৽نܖ໿ • หޢ࢜අ༻ • ࠶ߏஙඅ༻ɺۀऀ࠶બఆ ݕ౼߲໨ ࣮ࢪ߲໨͕

  47.       ͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͢ ఘΊͯ࡞Γ௚͢΄͏͕҆͘Ͷʁ ͓͔͚ۚͯௐࠪͯ͠΋݁ہݪҼ͕෼͔Βͳ͔ͬͨ ͏ͪͰى͜Δͱ͸ࢥΘͳ͔ͬͨɻ

    өըͷ࿩Έ͍ͨ ͦ͏ͳΜͰ͕͢ɺ্ʹઆ໌͢Δͱ͔ͳΜͱ͔Ͱൃ஫͞ΕΔํ΋ 8PSE1SFTTͷඪ४తͳϩάͩͱಛఆ͸೉͍͜͠ͱ΋͋Γ·͢ ·͊͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͔͢Β

  48.  

  49. • 8PSE1SFTTͷϩάΠϯΛकΔ • ੬ऑੑ৘ใΛ֬ೝ͢Δ • ϓϥάΠϯͱςʔϚΛબͿ • 8PSE1SFTTͷؔ਺Λ࢖͏ • ηΩϡϦςΟΘ΀ʔ΄͘͠ͳ͍ʁʢ୭͔ʂ

    8PSE1SFTTΛ҆શʹ࢖͏ํ๏ʂ Ͱ͖Ε͹ָͳ΍ͭ

  50. a r u t 9 ? W a r 9

    9 9 W s a r = P e r ? = 914 o h P 1 d o h s= 9

  51. 45 0 0 0 .