flisol df 2015 - wordpress vs hacker . blindando seu wordpress
TRANSCRIPT
![Page 1: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/1.jpg)
WordPress vs HackerBlindando seu WordPress
![Page 2: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/2.jpg)
Quem somos?
![Page 3: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/3.jpg)
Quem sou ?
Lenon Leite @lenonleite
DevOps + Workholic + TDAH=
EU
![Page 4: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/4.jpg)
Quem sou ?
Thiago Dieb @thiagodieb
++ Ansioso; -- TDAH;
![Page 5: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/5.jpg)
Atual realidade do WordPress
Fonte: https://wappalyzer.com/categories/cms 24/04/2015
![Page 6: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/6.jpg)
WordPress é Seguro
● 100% seguro == false;● WordPress ou CMS próprio?● WordPress
○ Estável;○ Rápida resposta de
atualização;○ Colaborativo;
![Page 7: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/7.jpg)
E os plugins e temas?
● Todos os Plugins e Temas são do WordPress.org == false;
● Utilidade X Segurança == (?);● Pagos X Não pagos == (?);● Quanto ++ Plugins == ++ Risco;● Temas piratas == ++ Risco;
![Page 8: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/8.jpg)
Vamos começar….
![Page 9: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/9.jpg)
A falhas em temas e plugins...
● LFD (local file download);● File Upload;● Sql Injection;● Brute Force;● XSS - (Cross-site Scripting)
○ Jetpack, Google Analitcs Yost, WordPress SEO;
![Page 10: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/10.jpg)
LFD
ThemeForest e CodeCanyon;Lista mais de mil temas…
=O“Slider Revolution”
http://marketblog.envato.com/news/affected-themes/
![Page 11: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/11.jpg)
LFD
![Page 12: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/12.jpg)
LFD
Exemplo ...
http://wordpress.local/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
http://wordpress.local/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../../../etc/passwd
![Page 13: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/13.jpg)
LFD
![Page 14: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/14.jpg)
File upload
Exemplo ...
http://wordpress.local/wp-content/themes/curvo/functions/upload-handler.php
![Page 15: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/15.jpg)
File upload
![Page 16: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/16.jpg)
Sql injection
Exemplo ...http://wordpress.local/wp-content/plugins/formcraft/form.
php?id=1%27
python sqlmap.py -u 'http://wordpress.local/wp-content/plugins/formcraft/form.php?id=1' --dbs
![Page 17: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/17.jpg)
Sql injection
![Page 18: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/18.jpg)
Bruteforce
![Page 19: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/19.jpg)
Modo de proteção
![Page 20: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/20.jpg)
Previnir - Easy● Alteração do nome do usuário
“admin” == false;● Senha HARDCORE == true;● Somente Plugins e Temas que
vai utilizar == true;● Vários plugins de segurança ==
false;● Pesquisar sobre os plugins e
temas utilizados == true;● Modo Debug false; ● Manter o core, temas e plugins
atualizados;
![Page 21: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/21.jpg)
Previnir - Medium● Desabilitar a função de edição dos
temas e plugins == true;● Bloquear Brute force == true;● Bloquear visualização de pasta ==
true;● Usar robots.txt == true;● Acessar todos os dias == true;● Comprar temas ou plugins == false;● Usar as constantes no wp-config:
WP_CONTENT_DIR, WP_PLUGIN_DIR, UPLOADS,WP_AUTO_UPDATE_CORE, WP_HTTP_BLOCK_EXTERNAL
![Page 22: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/22.jpg)
Previnir - Hard● Prepração de infra == true;● Pentest no próprio site == true
pra porra!○ Use WpScan;○ Use Accunetix;○ Use Metaexploit;
● Alterar e bloquear o wp-admin/ == true;
● Bloquear páginas /author/*● Sempre informado == true;
![Page 23: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/23.jpg)
Não basta só proteger o WordPress
![Page 24: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/24.jpg)
O cuidado deve ser além
![Page 25: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/25.jpg)
Olha quem caiu… kkkk
![Page 26: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/26.jpg)
Olha quem caiu… kkkk
Globo
![Page 27: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/27.jpg)
Olha quem caiu… kkkk
Extra
![Page 28: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/28.jpg)
FerramentasWpScan -> Scan de vunerabilidades em WordPress.http://wpscan.org/SqlMap -> Exploração de sql injection.http://sqlmap.org/MetaSploit -> Exploração de vulnerabilidades. http://www.metasploit.com/Acunetix -> Exploração de vulnerabilidades. http://www.acunetix.com/John the Ripper -> Ferramenta de Brute Force, e quebra de hashs.http://www.openwall.com/john/InurlBr -> Vunerabilidades em Massa.https://github.com/googleinurl/SCANNER-INURLBR
![Page 29: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/29.jpg)
Sites e Links importantes.Exploitershttp://www.exploit-db.com/http://1337day.com/http://www.cvedetails.com/
Links interessanteshttp://www.wordpressexploit.com/https://www.facebook.com/inj3ct0rs
![Page 30: Flisol DF 2015 - WordPress vs Hacker . blindando seu WordPress](https://reader035.vdocuments.mx/reader035/viewer/2022062515/55d0a544bb61eb74598b4611/html5/thumbnails/30.jpg)
Finalizando...@lenonleite www.lenonleite.com.br
@ThiagoDieb www.dieb.com.br
www.aszone.com.br