WordPress Penetration Testing Lab Setup in Ubuntu

Today we are demonstrating how to install and configure WordPress for penetration testing inside the web server. To configure WordPress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in setting up of your own localhost web server. Here we are using our own web server which had to configure in Ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as the password for the root user. Now start with login into phpmyadmin as the root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains the name of existing databases and the right panel contains a functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store WordPress data, we need to create a new database. Now click on the databases tab given at the top of the right panel.

Now enter the name for database system such as WordPress and then click on create. After that, you will observe a new database “WordPress” will get added into the left panel.

Open the terminal and type following command to download WordPress inside /var/www/html

Now unzip the folder of latest.zip

From the given image you can see we have a folder of WordPress inside /html/ directory.

Now for WordPress installations open it on the browser through URL: http:// localhost/wordpress as shown in the given image.  At the end of the window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Now click on the submit tab.

In the next window, you will get some code of line to configure the wp-config.php file as shown in the given image. Now copy the highlighted text into a text document. After you have done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on the desktop.

Since we have saved wp-config.php on the desktop, therefore, we are going to shift it inside /var/www/html/wordpress using the following command.

After then go back to the previously open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for WordPress installation.

At last click on “install WordPress” tab given at the end of the window.

Once WordPress will successfully install, click on log in as shown in the given image.

Now enter your WordPress credential for login.

Great!!  Finally our website “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in WordPress so that we can make WordPress penetration testing by exploiting these plug-in based vulnerabilities. WordPress’ plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type the following command to give all permission to the file and folder own by www-data of /var/www/html.

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable WordPress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many another vulnerable plug-in from exploit database.

Now login into WordPress as admin to access administration control panel and then select plugins option from the dashboard and go for the new plugin so that you can add your install plug-in in your WordPress.

Now browse you downloaded the zip file and then click on upload plugin for installation.

It will install the plug-in into WordPress, now to activate it click on given tab Activate Plugin as shown in the given image.

Similarly, you can install as much as can be possible vulnerable plug-in into WordPress. You can see we had installed many plug-ins inside our WordPress so that we can make more practice on WordPress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how to exploit WordPress plug-in base vulnerability.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *