怎样用 WPScan,Nmap 和 Nikto 扫描和检查一个 WordPress 站点的安全性

简介:

怎样用 WPScan,Nmap 和 Nikto 扫描和检查一个 WordPress 站点的安全性

介绍

数百万个网站用着 WordPress ,这当然是有原因的。WordPress 是众多内容管理系统中对开发者最友好的,本质上说你可以用它做任何事情。不幸的是,每天都有些吓人的报告说某个主要的网站被黑了,或者某个重要的数据库被泄露了之类的,吓得人一愣一愣的。

如果你还没有安装 WordPress ,可以看下下面的文章。

在基于 Debian 的系统上:

在基于 RPM 的系统上:

我之前的文章 如何安全加固 WordPress 站点 里面列出的备忘录为读者维护 WordPress 的安全提供了一点帮助。

在这篇文章里面,我将介绍 wpscan 的安装过程,以及怎样使用 wpscan 来定位那些已知的会让你的站点变得易受攻击的插件和主题。还有怎样安装和使用一款免费的网络探索和攻击的安全扫描软件 nmap 。最后展示的是使用 nikto 的步骤。

(题图来自:codersmount.com)

用 WPScan 测试 WordPress 中易受攻击的插件和主题

WPScan 是一个 WordPress 黑盒安全扫描软件,用 Ruby 写成,它是专门用来寻找已知的 WordPress 的弱点的。它为安全专家和 WordPress 管理员提供了一条评估他们的 WordPress 站点的途径。它的基于开源代码,在 GPLv3 下发行。

下载和安装 WPScan

在我们开始安装之前,很重要的一点是要注意 wpscan 不能在 Windows 下工作,所以你需要使用一台 Linux 或者 OS X 的机器来完成下面的事情。如果你只有 Windows 的系统,拿你可以下载一个 Virtualbox 然后在虚拟机里面安装任何你喜欢的 Linux 发行版本。

WPScan 的源代码放在 Github 上,所以需要先安装 git(LCTT 译注:其实你也可以直接从 Github 上下载打包的源代码,而不必非得装 git )。

     
     
  1. sudo apt-get install git

git 装好了,我们就要安装 wpscan 的依赖包了。

     
     
  1. sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev ruby1.9.3

把 wpscan 从 github 上 clone 下来。

     
     
  1. git clone https://github.com/wpscanteam/wpscan.git

现在我们可以进入这个新建立的 wpscan 目录,通过 bundler 安装必要的 ruby 包。

     
     
  1. cd wpscan
  2. sudo gem install bundler && bundle install --without test development

现在 wpscan 装好了,我们就可以用它来搜索我们 WordPress 站点潜在的易受攻击的文件。wpcan 最重要的方面是它能列出不仅是插件和主题,也能列出用户和缩略图的功能。WPScan 也可以用来暴力破解 WordPress —— 但这不是本文要讨论的内容。

更新 WPScan

     
     
  1. ruby wpscan.rb --update

列举插件

要列出所有插件,只需要加上 “--enumerate p” 参数,就像这样:

     
     
  1. ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate p

或者仅仅列出易受攻击的插件:

     
     
  1. ruby wpscan.rb --url http(s)://www.yoursiteurl.com --enumerate vp

下面是一些例子:

     
     
  1. | Name: ukiscet
  2. | Location: http://********.com/wp-content/plugins/akismet/

  3. | Name: audio-player
  4. | Location: http://********.com/wp-content/plugins/audio-player/
  5. |
  6. | * Title: Audio Player - player.swf playerID Parameter XSS
  7. | * Reference: http://seclists.org/bugtraq/2013/Feb/35
  8. | * Reference: http://secunia.com/advisories/52083
  9. | * Reference: http://osvdb.org/89963
  10. | * Fixed in: 2.0.4.6

  11. | Name: bbpress - v2.3.2
  12. | Location: http://********.com/wp-content/plugins/bbpress/
  13. | Readme: http://********.com/wp-content/plugins/bbpress/readme.txt
  14. |
  15. | * Title: BBPress - Multiple Script Malformed Input Path Disclosure
  16. | * Reference: http://xforce.iss.net/xforce/xfdb/78244
  17. | * Reference: http://packetstormsecurity.com/files/116123/
  18. | * Reference: http://osvdb.org/86399
  19. | * Reference: http://www.exploit-db.com/exploits/22396/
  20. |
  21. | * Title: BBPress - forum.php page Parameter SQL Injection
  22. | * Reference: http://xforce.iss.net/xforce/xfdb/78244
  23. | * Reference: http://packetstormsecurity.com/files/116123/
  24. | * Reference: http://osvdb.org/86400
  25. | * Reference: http://www.exploit-db.com/exploits/22396/

  26. | Name: contact
  27. | Location: http://********.com/wp-content/plugins/contact/

列举主题

列举主题和列举插件差不多,只要用"--enumerate t"就可以了。

     
     
  1. ruby wpscan.rb --url http(s)://www.host-name.com --enumerate t

或者只列出易受攻击的主题:

     
     
  1. ruby wpscan.rb --url http(s)://www.host-name.com --enumerate vt

例子的输出:

     
     
  1. | Name: path
  2. | Location: http://********.com/wp-content/themes/path/
  3. | Style URL: http://********.com/wp-content/themes/path/style.css
  4. | Description:

  5. | Name: pub
  6. | Location: http://********.com/wp-content/themes/pub/
  7. | Style URL: http://********.com/wp-content/themes/pub/style.css
  8. | Description:

  9. | Name: rockstar
  10. | Location: http://********.com/wp-content/themes/rockstar/
  11. | Style URL: http://********.com/wp-content/themes/rockstar/style.css
  12. | Description:
  13. |
  14. | * Title: WooThemes WooFramework Remote Unauthenticated Shortcode Execution
  15. | * Reference: https://gist.github.com/2523147

  16. | Name: twentyten
  17. | Location: http://********.com/wp-content/themes/twentyten/
  18. | Style URL: http://********.com/wp-content/themes/twentyten/style.css
  19. | Description:

列举用户

WPscan 也可以用来列举某个 WordPress 站点的用户和有效的登录记录。攻击者常常这么做——为了获得一个用户清单,好进行暴力破解。

     
     
  1. ruby wpscan.rb --url http(s)://www.host-name.com --enumerate u

列举 Timthumb 文件

关于 WPscan ,我要说的最后一个功能是列举 timthub (缩略图)相关的文件。近年来,timthumb 已经成为攻击者眼里的一个常见目标,因为无数的漏洞被找出来并发到论坛上、邮件列表等等地方。用下面的命令可以通过 wpscan 找出易受攻击的 timthub 文件:

     
     
  1. ruby wpscan.rb --url http(s)://www.host-name.com --enumerate tt

用 Nmap 扫描你 VPS 的开放端口

Nmap 是一个开源的用于网络探索和安全审查方面的工具。它可以迅速扫描巨大的网络,也可一单机使用。Nmap 用原始 IP 数据包通过不同寻常的方法判断网络里那些主机是正在工作的,那些主机上都提供了什么服务(应用名称和版本),是什么操作系统(以及版本),用的什么类型的防火墙,以及很多其他特征。

在 Debian 和 Ubuntu 上下载和安装 nmap

要在基于 Debian 和 Ubuntu 的操作系统上安装 nmap ,运行下面的命令:

     
     
  1. sudo apt-get install nmap

输出样例

     
     
  1. Reading package lists... Done
  2. Building dependency tree
  3. Reading state information... Done
  4. The following NEW packages will be installed:
  5.  nmap
  6. 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
  7. Need to get 1,643 kB of archives.
  8. After this operation, 6,913 kB of additional disk space will be used.
  9. Get:1 http://mirrors.service.networklayer.com/ubuntu/ precise/main nmap amd64 5.21-1.1ubuntu1 [1,643 kB]
  10. Fetched 1,643 kB in 0s (16.4 MB/s)
  11. Selecting previously unselected package nmap.
  12. (Reading database ... 56834 files and directories currently installed.)
  13. Unpacking nmap (from .../nmap_5.21-1.1ubuntu1_amd64.deb) ...
  14. Processing triggers for man-db ...
  15. Setting up nmap (5.21-1.1ubuntu1) ...

举个例子

输出 nmap 的版本:

     
     
  1. nmap -V

或者

     
     
  1. nmap --version

输出样例

     
     
  1. Nmap version 5.21 ( http://nmap.org )

在 Centos 上下载和安装 nmap

要在基于 RHEL 的 Linux 上面安装 nmap ,输入下面的命令:

     
     
  1. yum install nmap

输出样例

     
     
  1. Loaded plugins: protectbase, rhnplugin, security
  2. 0 packages excluded due to repository protections
  3. Setting up Install Process
  4. Resolving Dependencies
  5. --> Running transaction check
  6. ---> Package nmap.x86_64 2:5.51-2.el6 will be installed
  7. --> Finished Dependency Resolution

  8. Dependencies Resolved

  9. ================================================================================
  10. Package    Arch         Version               Repository                  Size
  11. ================================================================================
  12. Installing:
  13. nmap       x86_64       2:5.51-2.el6          rhel-x86_64-server-6       2.8 M

  14. Transaction Summary
  15. ================================================================================
  16. Install       1 Package(s)

  17. Total download size: 2.8 M
  18. Installed size: 0
  19. Is this ok [y/N]: y
  20. Downloading Packages:
  21. nmap-5.51-2.el6.x86_64.rpm                               | 2.8 MB     00:00
  22. Running rpm_check_debug
  23. Running Transaction Test
  24. Transaction Test Succeeded
  25. Running Transaction
  26.  Installing : 2:nmap-5.51-2.el6.x86_64                                     1/1
  27.  Verifying  : 2:nmap-5.51-2.el6.x86_64                                     1/1

  28. Installed:
  29.  nmap.x86_64 2:5.51-2.el6

  30. Complete!

举个例子

输出 nmap 版本号:

     
     
  1. nmap --version

输出样例

     
     
  1. Nmap version 5.51 ( http://nmap.org )

用 Nmap 扫描端口

你可以用 nmap 来获得很多关于你的服务器的信息,它可以让你站在对你的网站不怀好意的人的角度看你自己的网站。

因此,请仅用它测试你自己的服务器或者在行动之前通知服务器的所有者。

nmap 的作者提供了一个测试服务器:

     
     
  1. scanme.nmap.org

有些命令可能会耗时较长:

要扫描一个 IP 地址或者一个主机名(全称域名),运行:

     
     
  1. nmap 192.168.1.1

输出样例:

Fig.01: nmap in action

Fig.01: nmap in action

扫描以获得主机的操作系统:

     
     
  1. sudo nmap -O 192.168.1.1

加上“-”或者“/24”来一次性扫描某个范围里面的多个主机:

     
     
  1. sudo nmap -PN xxx.xxx.xxx.xxx-yyy

扫描某个范围内可用的服务:

     
     
  1. sudo nmap -sP network_address_range

扫描 IP 地址时部进行反向 DNS 解析。多数情况下这会加快你获得结果的速度:

     
     
  1. sudo nmap -n remote_host

扫描一个特定端口而不是所有常用端口:

     
     
  1. sudo nmap -p port_number remote_host

扫描一个网络,找出哪些服务器在线,分别运行了什么服务。

这就是传说中的主机探索或者 ping 扫描:

     
     
  1. nmap -sP 192.168.1.0/24

输出样例:

     
     
  1. Host 192.168.1.1 is up (0.00035s latency).
  2. MAC Address: BC:AE:C5:C3:16:93 (Unknown)
  3. Host 192.168.1.2 is up (0.0038s latency).
  4. MAC Address: 74:44:01:40:57:FB (Unknown)
  5. Host 192.168.1.5 is up.
  6. Host nas03 (192.168.1.12) is up (0.0091s latency).
  7. MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
  8. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

理解端口配置和如何发现你的服务器上的攻击目标只是确保你的信息和你的 VPS 安全的第一步。

用 Nikto 扫描你网站的缺陷

Nikto 网络扫描器是一个开源的 web 服务器的扫描软件,它可以用来扫描 web 服务器上的恶意的程序和文件。Nikto 也可以用来检查软件版本是否过期。Nikto 能进行简单而快速地扫描以发现服务器上危险的文件和程序。扫描结束后会给出一个日志文件。`

在 Linux 服务器上下载和安装 Nikto

Perl 在 Linux 上是预先安装好的,所以你只需要从项目页面下载 nikto ,解压到一个目录里面,然后开始测试。

     
     
  1. wget https://cirt.net/nikto/nikto-2.1.4.tar.gz

你可以用某个归档管理工具解包,或者如下同时使用 tar 和 gzip :

     
     
  1. tar zxvf nikto-2.1.4.tar.gz
  2. cd nikto-2.1.4
  3. perl nikto.pl

安装正确的话会得到这样的结果:

     
     
  1. - ***** SSL support not available (see docs for SSL install) *****
  2. - Nikto v2.1.4
  3. ---------------------------------------------------------------------------
  4. + ERROR: No host specified

  5.       -config+            Use this config file
  6.       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
  7.       -dbcheck            check database and other key files for syntax errors
  8.       -Display+           Turn on/off display outputs
  9.       -evasion+           ids evasion technique
  10.       -Format+            save file (-o) format
  11.       -host+              target host
  12.       -Help               Extended help information
  13.       -id+                Host authentication to use, format is id:pass or id:pass:realm
  14.       -list-plugins       List all available plugins
  15.       -mutate+            Guess additional file names
  16.       -mutate-options+    Provide extra information for mutations
  17.       -output+            Write output to this file
  18.       -nocache            Disables the URI cache
  19.       -nossl              Disables using SSL
  20.       -no404              Disables 404 checks
  21.       -port+              Port to use (default 80)
  22.       -Plugins+           List of plugins to run (default: ALL)
  23.       -root+              Prepend root value to all requests, format is /directory
  24.       -ssl                Force ssl mode on port
  25.       -Single             Single request mode
  26.       -timeout+           Timeout (default 2 seconds)
  27.       -Tuning+            Scan tuning
  28.       -update             Update databases and plugins from CIRT.net
  29.       -vhost+             Virtual host (for Host header)
  30.       -Version            Print plugin and database versions
  31.           + requires a value

  32.    Note: This is the short help output. Use -H for full help.

这个报错只是告诉我们没有给出必要的参数。SSL 支持可以通过安装相关的 perl ssl 模块得到(sudo apt-get install libnet-ssleay-perl)。

更新 nikto 数据库

在开始使用之前我们需要先更新 nikto 数据库:

     
     
  1. /usr/local/bin/nikto.pl -update

下面的命令可以列出可用的 nikto 插件。

     
     
  1. nikto.pl -list-plugins // To list the installed plugins //

扫描以寻找缺陷

我们用一个 url 来在做个简单的测试。

     
     
  1. perl nikto.pl -h http://www.host-name.com

输出样例

会有十分冗长的输出,可能一开始会让人感到困惑。许多 Nikto 的警报会返回 OSVDB 序号。这是由开源缺陷数据库(http://osvdb.org/)所指定。你可以在 OSVDB 上找出相关缺陷的深入说明。

     
     
  1. $ nikto -h http://www.host-name.com
  2. - Nikto v2.1.4
  3. ---------------------------------------------------------------------------
  4. + Target IP:         1.2.3.4
  5. + Target Hostname:    host-name.com
  6. + Target Port:        80
  7. + Start Time:         2012-08-11 14:27:31
  8. ---------------------------------------------------------------------------
  9. + Server: Apache/2.2.22 (FreeBSD) mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2
  10. + robots.txt contains 4 entries which should be manually viewed.
  11. + mod_ssl/2.2.22 appears to be outdated (current is at least 2.8.31) (may depend on server version)
  12. + ETag header found on server, inode: 5918348, size: 121, mtime: 0x48fc943691040
  13. + mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
  14. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
  15. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  16. + /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist
  17. + OSVDB-2322: /gallery/search.php?searchstring=<script>alert(document.cookie)</script>: Gallery 1.3.4 and below is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.securityfocus.com/bid/8288.
  18. + OSVDB-7022: /calendar.php?year=alert(document.cookie);</</span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">script</span><span class="pun" style="word-wrap: break-word;">>&</span><span class="pln" style="word-wrap: break-word;">month</span><span class="pun" style="word-wrap: break-word;">=</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">03</span><span class="pun" style="word-wrap: break-word;">&</span><span class="pln" style="word-wrap: break-word;">day</span><span class="pun" style="word-wrap: break-word;">=</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">05</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> DCP</span><span class="pun" style="word-wrap: break-word;">-</span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Portal</span><span class="pln" style="word-wrap: break-word;"> v5</span><span class="pun" style="word-wrap: break-word;">.</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3.1</span><span class="pln" style="word-wrap: break-word;"> </span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">is</span><span class="pln" style="word-wrap: break-word;"> vulnerable to  </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Cross</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Site</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Scripting</span><span class="pln" style="word-wrap: break-word;"> </span><span class="pun" style="word-wrap: break-word;">(</span><span class="pln" style="word-wrap: break-word;">XSS</span><span class="pun" style="word-wrap: break-word;">).</span><span class="pln" style="word-wrap: break-word;"> http</span><span class="pun" style="word-wrap: break-word;">:</span><span class="com" style="word-wrap: break-word; color: rgb(174, 174, 174); font-style: italic;">//www.cert.org/advisories/CA-2000-02.html.</span></code></li>   <li class="L8" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> OSVDB</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3233</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="pun" style="word-wrap: break-word;">/</span><span class="pln" style="word-wrap: break-word;">phpinfo</span><span class="pun" style="word-wrap: break-word;">.</span><span class="pln" style="word-wrap: break-word;">php</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Contains</span><span class="pln" style="word-wrap: break-word;"> PHP configuration information</span></code></li>   <li class="L9" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> OSVDB</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3092</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="str" style="word-wrap: break-word; color: rgb(101, 176, 66);">/system/</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">This</span><span class="pln" style="word-wrap: break-word;"> might be interesting</span><span class="pun" style="word-wrap: break-word;">...</span></code></li>   <li class="L0" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> OSVDB</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3092</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="str" style="word-wrap: break-word; color: rgb(101, 176, 66);">/template/</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">This</span><span class="pln" style="word-wrap: break-word;"> may be interesting </span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">as</span><span class="pln" style="word-wrap: break-word;"> the directory may hold sensitive files </span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">or</span><span class="pln" style="word-wrap: break-word;"> reveal system information</span><span class="pun" style="word-wrap: break-word;">.</span></code></li>   <li class="L1" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> OSVDB</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3092</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="str" style="word-wrap: break-word; color: rgb(101, 176, 66);">/updates/</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">This</span><span class="pln" style="word-wrap: break-word;"> might be interesting</span><span class="pun" style="word-wrap: break-word;">...</span></code></li>   <li class="L2" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> OSVDB</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">3092</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="pun" style="word-wrap: break-word;">/</span><span class="pln" style="word-wrap: break-word;">README</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> README </span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">file</span><span class="pln" style="word-wrap: break-word;"> found</span><span class="pun" style="word-wrap: break-word;">.</span></code></li>   <li class="L3" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">6448</span><span class="pln" style="word-wrap: break-word;"> items checked</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;"> </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">1</span><span class="pln" style="word-wrap: break-word;"> error</span><span class="pun" style="word-wrap: break-word;">(</span><span class="pln" style="word-wrap: break-word;">s</span><span class="pun" style="word-wrap: break-word;">)</span><span class="pln" style="word-wrap: break-word;"> </span><span class="kwd" style="word-wrap: break-word; color: rgb(226, 137, 100);">and</span><span class="pln" style="word-wrap: break-word;"> </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">14</span><span class="pln" style="word-wrap: break-word;"> item</span><span class="pun" style="word-wrap: break-word;">(</span><span class="pln" style="word-wrap: break-word;">s</span><span class="pun" style="word-wrap: break-word;">)</span><span class="pln" style="word-wrap: break-word;"> reported on remote host</span></code></li>   <li class="L4" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">End</span><span class="pln" style="word-wrap: break-word;"> </span><span class="typ" style="word-wrap: break-word; color: rgb(137, 189, 255);">Time</span><span class="pun" style="word-wrap: break-word;">:</span><span class="pln" style="word-wrap: break-word;">           </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">2012</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">08</span><span class="pun" style="word-wrap: break-word;">-</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">11</span><span class="pln" style="word-wrap: break-word;"> </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">15</span><span class="pun" style="word-wrap: break-word;">:</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">52</span><span class="pun" style="word-wrap: break-word;">:</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">57</span><span class="pln" style="word-wrap: break-word;"> </span><span class="pun" style="word-wrap: break-word;">(</span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">5126</span><span class="pln" style="word-wrap: break-word;"> seconds</span><span class="pun" style="word-wrap: break-word;">)</span></code></li>   <li class="L5" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">---------------------------------------------------------------------------</span></code></li>   <li class="L6" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pun" style="word-wrap: break-word;">+</span><span class="pln" style="word-wrap: break-word;"> </span><span class="lit" style="word-wrap: break-word; color: rgb(51, 135, 204);">1</span><span class="pln" style="word-wrap: break-word;"> host</span><span class="pun" style="word-wrap: break-word;">(</span><span class="pln" style="word-wrap: break-word;">s</span><span class="pun" style="word-wrap: break-word;">)</span><span class="pln" style="word-wrap: break-word;"> tested</span></code></li>   <li class="L7" style="word-wrap: break-word; margin: 0px; padding: 0px 0px 0px 28px; text-indent: -28px; line-height: 2em; list-style-type: decimal;"><code style="word-wrap: break-word; text-shadow: rgb(0, 0, 0) 0px 1px 1px; padding: 0px 0px 0px 10px !important; border-radius: 0px !important; margin: 1em 0px !important; color: rgb(184, 255, 184); border: none !important; background: none;"><span class="pln" style="word-wrap: break-word;">$</span></code></li>  </ol> </pre> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px; line-height: 32px; font-family: 'Lantinghei SC', 'Helvetica Neue', 'Microsoft YaHei', 微软雅黑, Arial, STHeiti, 'WenQuanYi Micro Hei', SimSun, sans-serif; font-size: 16px;"><span style="word-wrap: break-word; color: rgb(196, 15, 15);">Nikto</span>&nbsp;是一个非常轻量级的通用工具。因为 Nikto 是用 Perl 写的,所以它可以在几乎任何服务器的操作系统上运行。</div> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px; line-height: 32px; font-family: 'Lantinghei SC', 'Helvetica Neue', 'Microsoft YaHei', 微软雅黑, Arial, STHeiti, 'WenQuanYi Micro Hei', SimSun, sans-serif; font-size: 16px;">希望这篇文章能在你检查 wordpress 站点的缺陷的时候给你一些提示。我之前的文章<a href="http://www.unixmen.com/secure-wordpress-website/" class="ext" rel="external nofollow" target="_blank" style="word-wrap: break-word; color: rgb(77, 138, 216); text-decoration: none; padding: 0px 4px 2px; border-bottom-width: 2px; border-bottom-style: solid; border-bottom-color: rgb(238, 238, 238);">如何安全加固 WordPress 站点</a>记录了一个<span style="word-wrap: break-word; color: rgb(196, 15, 15);">清单</span>,可以让你保护你的 WordPress 站点的工作变得更简单。</div> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px; line-height: 32px; font-family: 'Lantinghei SC', 'Helvetica Neue', 'Microsoft YaHei', 微软雅黑, Arial, STHeiti, 'WenQuanYi Micro Hei', SimSun, sans-serif; font-size: 16px;"><a id="4_14266" class="target-fix ext" rel="external nofollow" target="_blank" style="word-wrap: break-word; color: rgb(77, 138, 216); position: relative; top: -40px; display: inline-block; height: 0px; overflow: hidden; border-bottom-style: solid; border-bottom-width: 2px; border-bottom-color: rgb(238, 238, 238); padding: 0px 4px 2px; visibility: hidden; border-top-style: none !important; border-right-style: none !important; border-left-style: none !important;"></a><a id="4_16945" class="target-fix ext" rel="external nofollow" target="_blank" style="word-wrap: break-word; color: rgb(77, 138, 216); position: relative; top: -40px; display: inline-block; height: 0px; overflow: hidden; border-bottom-style: solid; border-bottom-width: 2px; border-bottom-color: rgb(238, 238, 238); padding: 0px 4px 2px; visibility: hidden; border-top-style: none !important; border-right-style: none !important; border-left-style: none !important;"></a><a id="4_17324" class="target-fix ext" rel="external nofollow" target="_blank" style="word-wrap: break-word; color: rgb(77, 138, 216); position: relative; top: -40px; display: inline-block; height: 0px; overflow: hidden; border-bottom-style: solid; border-bottom-width: 2px; border-bottom-color: rgb(238, 238, 238); padding: 0px 4px 2px; visibility: hidden; border-top-style: none !important; border-right-style: none !important; border-left-style: none !important;"></a></div> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px; line-height: 32px; font-family: 'Lantinghei SC', 'Helvetica Neue', 'Microsoft YaHei', 微软雅黑, Arial, STHeiti, 'WenQuanYi Micro Hei', SimSun, sans-serif; font-size: 16px;">有想说的,留下你的评论。</div> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px;"><font face="Lantinghei SC, Helvetica Neue, Microsoft YaHei, 微软雅黑, Arial, STHeiti, WenQuanYi Micro Hei, SimSun, sans-serif"><span style="line-height: 32px;">原文发布时间:2015-04-26</span></font></div> <div style="word-wrap: break-word; margin-top: 1.5em; margin-bottom: 1.5em; padding: 0px;"><font face="Lantinghei SC, Helvetica Neue, Microsoft YaHei, 微软雅黑, Arial, STHeiti, WenQuanYi Micro Hei, SimSun, sans-serif"><span style="line-height: 32px;">本文来自云栖合作伙伴“linux中国”</span></font></div> </div>
目录
相关文章
|
8月前
|
PHP
Wordpress 站点健康-缺少一个或多个推荐的模组
Wordpress 站点健康-缺少一个或多个推荐的模组
|
监控 安全 Ubuntu
重视WordPress建站安全性,WordPress定制开发如何发挥其安全性不被攻击
WordPress网站上每分钟有超过90,978次攻击,尽管这个数字听起来很大,但如果您遵循基本的安全规则,则可以防止大多数潜在攻击并使您的网站免受攻击。或者至少让它很难闯入,以至于黑客宁愿瞄准数千个安全性差的人之一。这并不难做到,特别是如果您考虑到许多攻击是在自动漏洞扫描程序找到潜在途径后执行的。那么,如何飙升WordPress网站安全性?WordPress定制开发如何发挥其安全性不被攻击? 北京六翼信息技术有限公司的开发工程师给出以下是 6 个基本提示重视WordPress建站安全性的建议。
重视WordPress建站安全性,WordPress定制开发如何发挥其安全性不被攻击
|
数据安全/隐私保护
WebIDC搭建WordPress站点
WebIDC搭建WordPress站点
124 1
WebIDC搭建WordPress站点
|
Kubernetes 数据可视化 数据库
docker搭建图形化界面portainer1.24.2,快速搭建wordpress5.7.2站点
docker搭建图形化界面portainer1.24.2,快速搭建wordpress5.7.2站点
400 0
docker搭建图形化界面portainer1.24.2,快速搭建wordpress5.7.2站点
|
应用服务中间件 数据库 数据安全/隐私保护
10分钟搭建Wordpress博客站点
10分钟搭建Wordpress博客站点
152 1
10分钟搭建Wordpress博客站点
|
安全 Ubuntu Linux
记一次用WPScan辅助渗透WordPress站点
记一次用WPScan辅助渗透WordPress站点
579 0
记一次用WPScan辅助渗透WordPress站点
使用CSDN云服务搭建一个WordPress 个人站点(视频教程)
目录 前言 视频教程 文字版教程 云主机体验地址 官方文档 前言 六一儿童节体验了一下CSDN云主机相关的服务,感觉最近官方最近变化很大,业务范围很广,这里简单体验了一下云主机,给大家分享一点心得,希望对大家有所启发。文章是6月1号写的,这里做一个整理。 视频教程 文字版教程
157 0
使用CSDN云服务搭建一个WordPress 个人站点(视频教程)
|
弹性计算 关系型数据库 MySQL
CDN
|
缓存 网络协议 前端开发
全面加速Wordpress站点:从文章页到管理后台
使用阿里云服务和几个插件,提高wordpress站点每个环节的访问速度。
CDN
981 0
全面加速Wordpress站点:从文章页到管理后台
|
数据库
wordpress修改后台站点地址后无法打开的解决办法
wordpress修改后台站点地址后无法打开的解决办法
192 0
wordpress修改后台站点地址后无法打开的解决办法