WordPress Penetration Testing using WPScan & Metasploit

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn WordPress penetration testing using WPScan and Metasploit

Attacker: Kali Linux

Target: WordPress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

  • Detect a version of currently installed WordPress.
  • Can detect sensitive files like readme, robots.txt, database replacing files, etc.
  • Detect enabled features on currently installed WordPress.
  • Enumerate theme version and name.
  • Detect installed plugins and can tell you if it is outdated or not.
  • Enumerate user names also.

Let’s start

Go to your Kali Linux terminal and type following to download wpscan from git hub.

Now simply type in terminal to run the script:

Using default Option we will go to penetrate our WordPress website:

Scanning WordPress version of the target website

Wpscan is a great tool to scan WordPress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type the following command to scan WordPress and its server:

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

Here it found server: Apache/2.4.7, PHP /5.5.9 WordPress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover, it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating WordPress Theme

A theme controls the general look and feel of the website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan the installed theme of WordPress website type following command:

Enumerating WordPress vulnerable Theme

To scan the installed vulnerable theme of WordPress website type following command:

From scanning result, we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating WordPress Plugins

Plugins are a small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

Finally, after a few seconds, you will get the result of the installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of the installed plug-in are detected. As well as it also describes the last update and the latest version of that plug-in.

Enumerating WordPress vulnerable Plugins

Now type the following command to scan vulnerable plug-in of any WordPress website:

After a few seconds, you will get the result of the installed vulnerable plug-in of the website. From the given image you can observe that the red color indicates vulnerable plug-ins as well as a link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load Metasploit framework and execute the following command:

Awesome!! From the given image you can observe the meterpreter session of victim’s web server.

Enumerating WordPress Usernames

In order to enumerate usernames of WordPress website execute the following command:

After some time it will dump the table of usernames. In this scan I had found three users with their Id as given below:

Enumerate ALL with a single command

Whatever we have scanned above can be easily enumerated at once by executing given below command:

–e: at: enumerate all themes of targeted website

–e: ap: enumerate all plugins of targeted website

–e: u: enumerate all usernames of targeted website

Brute force attack using Wpscan

With help of username which we had enumerated above, we can create a wordlist of password for user admin and can try brute force login attack using given below command.

It will start matching the valid combination of username and password for login and then dump the result, from the given image you can see it found login credential of the targeted website as admin: password.

Generate PHP backdoor in WordPress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload the malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from the dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that, you will found some php code in the middle frame for 404 temperate. Erase the entire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

From the screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die();  further, we will paste it inside WordPress template as a new theme.

Now past above copied PHP text *<?php……….die();   here as new theme under selected  404.php template.

On the other hand Load Metasploit framework and start multi/handler

When you will execute your uploaded theme 404.php in the browser you will receive reverse connection at multi/handler and get a meterpreter session of victim’s system.

Here form screenshot you can see through meterpreter we have access victim’s shell.

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of WordPress website.

Author: Akshay Bharadwaj is a passionate Hacker, Information Security Enthusiast and Researcher | Sketch Artist |Technical writer. Contact Here

Understanding Log Analysis of Web Server

From Wikipedia

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) “what happened when by whom, where and why happened” of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also is known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] “GET /apache_pb.gif HTTP/1.0” 200 1068

  1. A “” in a field indicates missing data.
  2. 0.0.1is the IP address of the client (remote host) which made the request to the server.
  3. User-identifier is the RFC 1413 identity of the client.
  4. raj is the user id of the person requesting the document.
  5. [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received
  6. GET /apache_pb.gif HTTP/1.0” is the request line from the client.
  7. 200is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
  8. 2326is the size of the object returned to the client, measured in bytes

Importance of log analysis

Logs play an important role in tracking each client computer’s activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in the network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks and help that person to use better precautions.

Location of log files

Generally, in Linux or UNIX system logs are created under /var/log directory, here you will find some very important log file such as Apache, auth, MySQL, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba:  /var/log/samba

Mail: /var/log/

Mysql:  /var/log/

For Example, let’s consider apache log files for analyzing its logs, there are two types of apache http server log files:

  • Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access to log /var/log/apache/access.log.

  • Apache Error Log File

All apache2 errors information those are found during server requests is logged to this file. Location of error log /var/log/apache/error.log.

Now open apache2 log using the following command in terminal (UNIX system).

You can see all log files of apache2 as shown in the given image.

Using echo command I had deleted all previous logs from an inside access.log file so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on the browser. Therefore I had opened some web application like dvwa, BWapp and WordPress site in respective order and as result in same order log will be created inside apache2.

There are so many commands and tools used for log analyzing; among them, we had used only three command line utility cat, head and tail for reading logs. 

From the given image you can see we have used the cat command to read log which begins with dvwa’s log and end on WordPress log.

cat is standard UNIX utility use for reading the content of the file. With help of cat command, you can view whole content inside any log file.

Syntax: cat [options] file name

the head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] filename

By default, the head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example head – n 30 file name.

the tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] filename 

From the given image you can perceive that it has shown log for WordPress at the end of the file.

A significant way of reading logs

Since tail reads end lines of the log file which consist information of recent activity of the client, therefore, we are going to take help tail’s option for reading log in a significant way.

By default, the tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example tail – n 30 file name.

From the given image you can see above command applied filter and read only two logs from recent records.

If you want to read multiple log files simultaneously then type the following command.

From the given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply the filter using grep command with the tail command for specific records of the log.

Syntax: tail [option] filename | grep “string” [option]

From the given image you can notice, it has highlighted log having a string as 200.  Generally, for a network administrator, this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from the server.

When the server is not able to give reply of a request made by the client it response through error 404 “not found”.

From the given image you can see it has highlighted log string 404 from a set of log records.

As you know on browser we had browsed web application DVWA, bWAPP and WordPress as respective sequences, therefore we get their log in the same sequence dvwa log at the top; bwapp log at middle and WordPress log at the end of access.log file

Log files are very large, reading them at ones will not possible for the administrator, therefore, he/she can use after and before option with grep as a filter for logs.

Syntax: tail [option] filename | grep -A [number of lines] “string”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicate 2 logs of WordPress as shown in the given image.

Similarly, apply the filter using before parameter and type following command with a specific argument.

Here -B stands for before, therefore it will filter 2 logs created before WordPress logs and hence it will indicate 2 logs of bwapp as shown in the given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing a connection with the server, for example, SSH login between server and client

Location: /var/log

Again I had used echo command to remove all previous record from inside auth.log

Suppose the client uses putty for ssh login into the server.

If the client having a valid credential for ssh then he will get successfully login into the server. From the given image you can see I had successfully login into the server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in the next image you can read access denied message which means fail in login into an SSH server. Hence this time inside auth log again a new record will be created for SSH login failure.

Now let‘s read the whole records of the auth log file for above client activities using cat command.

From the given image you can read the logs for successful and failed login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either success or failure.

Location: /var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading the whole file. From the given image you can observe it has created a record in the log file for client 192.168.0.104 is CONNECT.

System Log

syslog is a standard for system logs or message logging. The administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in the given image.

APT Log

The apt is a standard command-line tool in UNIX, which works for performing functions such as the installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location: /var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

  • log : /var/log/apt
  • log /var/log/apt

Now type the following command for reading history log of apt.

From the given image you can observe the result which contains information about software installation and updates.

It was a brief theory for reading logs in the simplest way.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

WordPress Penetration Testing Lab Setup in Ubuntu

Today we are demonstrating how to install and configure WordPress for penetration testing inside the web server. To configure WordPress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in setting up of your own localhost web server. Here we are using our own web server which had to configure in Ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as the password for the root user. Now start with login into phpmyadmin as the root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains the name of existing databases and the right panel contains a functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store WordPress data, we need to create a new database. Now click on the databases tab given at the top of the right panel.

Now enter the name for database system such as WordPress and then click on create. After that, you will observe a new database “WordPress” will get added into the left panel.

Open the terminal and type following command to download WordPress inside /var/www/html

Now unzip the folder of latest.zip

From the given image you can see we have a folder of WordPress inside /html/ directory.

Now for WordPress installations open it on the browser through URL: http:// localhost/wordpress as shown in the given image.  At the end of the window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Now click on the submit tab.

In the next window, you will get some code of line to configure the wp-config.php file as shown in the given image. Now copy the highlighted text into a text document. After you have done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on the desktop.

Since we have saved wp-config.php on the desktop, therefore, we are going to shift it inside /var/www/html/wordpress using the following command.

After then go back to the previously open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for WordPress installation.

At last click on “install WordPress” tab given at the end of the window.

Once WordPress will successfully install, click on log in as shown in the given image.

Now enter your WordPress credential for login.

Great!!  Finally our website “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in WordPress so that we can make WordPress penetration testing by exploiting these plug-in based vulnerabilities. WordPress’ plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type the following command to give all permission to the file and folder own by www-data of /var/www/html.

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable WordPress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many another vulnerable plug-in from exploit database.

Now login into WordPress as admin to access administration control panel and then select plugins option from the dashboard and go for the new plugin so that you can add your install plug-in in your WordPress.

Now browse you downloaded the zip file and then click on upload plugin for installation.

It will install the plug-in into WordPress, now to activate it click on given tab Activate Plugin as shown in the given image.

Similarly, you can install as much as can be possible vulnerable plug-in into WordPress. You can see we had installed many plug-ins inside our WordPress so that we can make more practice on WordPress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how to exploit WordPress plug-in base vulnerability.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Fuzzing SQL,XSS and Command Injection using Burp Suite

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on the bwapp application using burp suite intruder, performing this testing manually is time-consuming and may be a boring process for any pentester.

The fuzzing plays a vital role in software testing, it is a tool which is used for finding bugs, errors, faults, and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool is best in identifying vulnerability like SQL injection, buffer overflow, XSS injection, and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such as SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: test (user input for the first name)

Attack type: Sniper (for one payload)

A set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for the attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contains fuzzing string for testing XSS injection, therefore choose fuzzing –xss and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the random string to test XSS vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have a select request 1 having a length equal to 13926.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Bravo!!  Fuzzing test is completed and it found that the application has a bug which leads to XSS vulnerability. From the screenshot, you can see it is showing an XSS alert prompt.

Fuzzing OS command injection

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contains a fuzzing string which will test for os command injection, therefore choose to fuzz full and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the arbitrary string to test OS command injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 34 having a length equal to 13343.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Great Job!!  Fuzzing test is completed and it found that the application has a bug which leads to OS command vulnerability. From the screenshot, you can see the application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contains a fuzzing string which will test for SQL injection, therefore choose to fuzz –SQL Injection for first payload position and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

Similarly, repeat the same process to set payload option for second payload position.

It will start the attack by sending a request which contains the arbitrary string to test SQL injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 168 having a length equal to 13648.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Wonderful!!  Fuzzing test is completed and it found that the application has a bug which leads to SQL injection vulnerability. From the screenshot, you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here