Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_h...

WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security

yoshinori matsumoto

April 20, 2019
Tweet

More Decks by yoshinori matsumoto

Other Decks in Technology

Transcript

  1. et r pc B C A mo d K ilk

    y O h  , 0 P W c aS sn  , 5 6 2 1 06 , 0
  2. Wcd h h S Wcd p I n J i

    ov d rP t SI A A + 5 I 6 os h u b ae h u
  3. mi / A p . 1274 / A g tc

    j s 7 A- 8 4381 2 4 4 8A4 1 82 4A 4 A ( 7 e hfn dfkl 7 A- 2 6 6 2 4 A 35 ) 06 0 608 :18 8 35 r S a_ r uo ͳΔ΂͘ૣ͘ରԠ ʢͰ͖ͨΒࣗಈԽ͍ͨ͠ʣ
  4. • 8PSE1SFTTͷϩάΠϯΛकΔ • ੬ऑੑ৘ใΛ֬ೝ͢Δ • ϓϥάΠϯͱςʔϚΛબͿ • 8PSE1SFTTͷؔ਺Λ࢖͏  ؅ཧऀ

    ։ൃऀ޲͚ ؅ཧऀ ฤूऀ ౤ߘऀ دߘऀ ߪಡऀ 8PSE1SFTTΛ҆શʹ࢖͏ํ๏ʂ Ͱ͖Ε͹ָͳ΍ͭ શϢʔβ ʴЋ ࣄނ͕͓ͬͨ͜Β
  5.    ސ٬޲͚ͷΞΧ΢ϯτ؅ཧ͸8PSE1SFTTͷ ʮ$VTUPNFSʯݖݶʢ8$ಠࣗʣͱͯ͠࡞੒͞ΕΔ XQMPHJOQIQܦ༝Ͱ΋ϩάΠϯͰ͖Δ͕ ؅ཧը໘ XQBENJOҎԼ ʹ͸ΞΫηεͰ͖ͳ͍ •

    8PSE1SFTTͷϩάΠϯϑΥʔϜͱಉ͡ڧ౓ • ௨ৗϩάΠϯͱҧ͍ʮOPODFʯ͸͍͍ͭͯΔ͕ɺϫϯλΠϜͰ͸ ͳ͍ͷͰϒϧʔτϑΥʔεରࡦʹ͸ඍົ • ϩάΠϯอޢܥͷϓϥάΠϯ͸ͦͷ··࢖͑Δ ʢ-PHJO-PDL%PXO $SB[ZCPOF ͳͲͰ͸ݕ஌Ͱ͖ͨʣ
  6.     Ϩϯλϧαʔόͷ৔߹ ଞαΠτ ଞαΠτ .Z 8PSE1SFTT ͋ͳͨ

    '51αʔό ڞ༻αʔό '51ΞΧ΢ϯτ 81ΞΧ΢ϯτ ίϯύω ΞΧ΢ϯτ αʔό ܖ໿৘ใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ ͦΕͧΕύεϫʔυΛ࢖͍·Θ͞ͳ͍ '51ΫϥΠΞϯτ͸࠷৽൛Λ࢖͏ ͳΔ΂͘'51͸࢖Θͳ͍ ίϯύω
  7.     714Ϋϥ΢υαʔϏεͷ৔߹ ͋ͳͨ 714 81ΞΧ΢ϯτ ίϯύω ΞΧ΢ϯτ

    αʔό ܖ໿৘ใ ϗεςΟϯάձࣾͷೋཁૉೝূΛ༗ޮʹ͢Δ αʔόͷ44)ϩάΠϯ͸ެ։伴ೝূ ʢύεϫʔυແޮʣʹ͢Δ ηΩϡϦςΟάϧʔϓͳͲ΋ઃఆ ίϯύω .Z 8PSE1SFTT 44)% αʔόΞΧ΢ϯτ
  8.      2աڈʹ XQMPHJOQIQ ʹΞΫηε͕͋ͬͨ*1ΞυϨεΛ ϒϩοΫ͍ͯ͠Δ͕ޮՌ͸͋Δͷ͔ʁ ΞΫηεϩά

    Attack IP .htaccess ϩάΠϯը໘ʹ޿͘ΞΫηε͍ͯ͠Δ*1͸ͦͷ౎౓มߋ͞ΕΔͨΊɺ *1ΞυϨεͷϒϥοΫϦετΛ؅ཧ͢Δͷ͸೉͍͠ɻ ·ͨɺݱঢ়ւ֎ͷ*1ΞυϨεଳҬʹଟ͍܏޲͸͋Δ͕ɺ ࠓޙࠃ಺*1ΞυϨεͰͷεΩϟϯ΋ߟ͑ΒΕΔͨΊɺ ࠃ͝ͱͷΞΫηε੍ݶΛա৴͠ͳ͍Α͏ʹ஫ҙ͕ඞཁɻ
  9.       8PSE1SFTT͔Βಋೖ σϑΥϧτͰ༗ޮ ϚΠφʔΞοϓσʔτʢηΩϡϦςΟΞοϓσʔτʣͷΈର৅ ແޮʹ͢Δ͜ͱ΋Մೳ

    ˠΑͬΆͲͷཧ༝͕ͳ͍ݶΓແޮʹ͠ͳ͍     2018/12 2019/3 2019/2 2019/3 ΦʔτΞοϓσʔτ खಈ Ξοϓσʔτ ΦʔτΞοϓσʔτ ݪଇతʹαϙʔτ͸࠷৽൛Ͱ͋Δ͕ɺ ηΩϡϦςΟύον͕ग़Δ͜ͱ΋͋Δ
  10.   • 1)1ͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ͦ΋ͦ΋8PSE1SFTT΋ಈ͔ͳ͘ͳΔ • 8FCαʔόʢ"QBDIF/HJOYʣͷόʔδϣϯ͕ݹ͗͢ͳ͍͔ ˠ ZVNVQEBUF

    • ϑΝΠΞ΢Υʔϧ JQUBCMFTηΩϡϦςΟάϧʔϓ ˠ ࢖༻͍ͯ͠ͳ͍αʔϏε͕ىಈͨ͠··ʹͳ͍ͬͯͳ͍͔ • ϩάϩʔςʔγϣϯ • 44-Խ ˠ ύεϫʔυɾݸਓ৘ใΛѻ͏৔໘͸͋ͬͨ΄͏͕͍͍ɻ4&0తʹ΋ɻ Α͘Θ͔Βͳ͍ɺ໘౗͍͘͞ͱ͍͏ਓ͸ Ϩϯλϧαʔό΋͘͠͸8PSE1SFTTDPNΛར༻͠·͠ΐ͏
  11.  Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

    https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/ ੬ऑੑΛѱ༻͞Ε εΫϦϓτΛຒΊࠐ·ΕΔ Ӿཡऀ͕࣮ߦ͢Δͱ ࠮ٗαΠτʹ༠ಋ͞ΕΔ ͦͷޙϓϥάΠϯ͸࡟আ͞ΕΔ ։ൃऀʹ௨஌͸͍͔ͳ͍ʂʁ
  12.       ੬ऑੑΛѱ༻͞Ε ೚ҙίʔυ͕࣮ߦ͞ΕΔ Ξοϓσʔτʹͯ ੬ऑੑରԠՄೳ

    • αΠτվ͟Μ • όοΫυΞຒΊࠐΈ • ϑΝΠϧ࡟আͳͲ • ϑΟογϯάαΠτԽ • ِαΠτ΁ͷ༠ಋ ͳΜͰ΋Ͱ͖Δ Duplicator Update Patches Remote Code Execution Flaw https://www.wordfence.com/blog/2018/09/duplicator-update-patches-remote-code-execution-flaw/
  13. 8PSE1SFTT͕ఏڙ͢Δؔ਺Λ༻͍Δ The WordPress Codex Is Your Friend… $wpdb->prepare ϓϨʔεϗϧμʔΛ࢖ͬͨΫΤϦͷอޢ wp_kses

    esc_html / esc_attr ୈࡾऀʹΑΔ+BWB4DSJQUͷ࣮ߦ๷ࢭ How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') ݱࡏͷϢʔβ͕ݖݶΛ΋͔ͭɻ ྫͰ͸ΞοϓϩʔυݖݶΛ΋͔ͭͲ͏͔ wp_check_filetype ϑΝΠϧλΠϓΛνΣοΫ͢Δ .*/&λΠϓΛؚΊͯνΣοΫ͢Δඞཁ͕͋Δ
  14.      ෼ྨ ಺༰ Ձ֨ ॳظௐࠪ ɾΞΫηεαʔόϩάௐࠪ

    ɾϑΝΠϧεΩϟϯ ʢෆਖ਼ͳϑΝΠϧ͕ͳ͍͔ʣ ɾݸਓ৘ใ࿙ӮϦεΫ൑ఆ =  ηΩϡϦςΟ਍அ ɾηΩϡϦςΟ਍அ ʢπʔϧ਍அɺຊ਍அ͓Αͼ࠶਍அʣ =  Φϓγϣϯ ɾΦϯαΠτใࠂ =  ظؒɿ̍िؒఔ౓ʢ਍அΛআ͘ʣ ೲ඼෺ɿௐࠪใࠂॻ ࡞Γ௚͢ͷͱ ͔ΘΒΜʼʻ
  15.      υϝΠϯͱ͔ͱಉ͡Ͱ࠷ޙ·Ͱ؅ཧ͢Δ͜ͱΛ໨తͱ͢Δ ϦΞϧͳ࿩ͩͱ อकαʔϏεΛένΒͳ͍ ؅ཧͰ͖͍ͯͳ͍΢ΣϒαΠτ͸ด࠯ͷݕ౼Λ IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMPMEDNTIUNM

    • ͓٬༷ɺؔ࿈اۀɺ؂ಜ׭ி΁ͷઆ໌ • 8"'ͳͲͷηΩϡϦςΟ੡඼ͱͷ৽نܖ໿ • หޢ࢜අ༻ • ࠶ߏஙඅ༻ɺۀऀ࠶બఆ ݕ౼߲໨ ࣮ࢪ߲໨͕
  16.       ͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͢ ఘΊͯ࡞Γ௚͢΄͏͕҆͘Ͷʁ ͓͔͚ۚͯௐࠪͯ͠΋݁ہݪҼ͕෼͔Βͳ͔ͬͨ ͏ͪͰى͜Δͱ͸ࢥΘͳ͔ͬͨɻ

    өըͷ࿩Έ͍ͨ ͦ͏ͳΜͰ͕͢ɺ্ʹઆ໌͢Δͱ͔ͳΜͱ͔Ͱൃ஫͞ΕΔํ΋ 8PSE1SFTTͷඪ४తͳϩάͩͱಛఆ͸೉͍͜͠ͱ΋͋Γ·͢ ·͊͜ͷεϥΠυ͸ϑΟΫγϣϯͰ͔͢Β
  17. a r u t 9 ? W a r 9

    9 9 W s a r = P e r ? = 914 o h P 1 d o h s= 9