AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.

Slides:

Advertisements

Similar presentations

WordPress Installation for Beginners Sheila Bergman

Advertisements

Implementing Tableau Server in an Enterprise Environment

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

WordPress from Start to Finish Day 1: Installing and Using WordPress Looking at the WordPress database.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Easy Website Creation Using WordPress Welcome and Thank You to our Sponsors.

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

Content Management, Working with WordPress Pavel Ivanov Telerik Corporation

Introduction The Basic Google Hacking Techniques How to Protect your Websites.

1. Prelude Diebold’s electronic voting system source code was discovered and subsequently leaked due to it being on a Diebold web server. Although it.

Kick start your career with WordPress

Content Management, Working with WordPress Svetlin Nakov Telerik Corporation

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

The easy way to a nice looking website design By a total non-designer (Me!)

GreenSQL Yuli Stremovsky /MSN/Gtalk:

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Drupal Workshop Introduction to Drupal Part 1: Web Content Management, Advantages/Disadvantages of Drupal, Drupal terminology, Drupal technology, directories.

Building Library Web Site Using Drupal

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

Creating a Web Presence Introduction to WordPress Week 1.

Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

Drupal Training Syllabus Chaitanya Lakshmi

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

INFM603 Project Presentation Jenny Wu Prachi Chhokar.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

Content Management Systems Drupal. Content Introduction Setting up Drupal Structure Features Core functions Comparison of Joomla and Drupal Total Cost.

SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.

Drupal Jumpstart Information Systems 337 Prof. Harry Plantinga.

Customer Relationship Management. Content CRM SugarCRM System Requirement Installation Process Configuration.

Phone: Mega AS Consulting Ltd © 2007  CAT – the problem & the solution  Using the CAT - Administrator  Mega.

IClasses Project INFM 603, Spring 2012 Mary John, Marcelo Ramagem.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

Drush: The Drupal Shell Utility Trevor Mckeown Founder & Owner Sublime Technologies

Module 7: Advanced Application and Web Filtering.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

Intro to APACHE, MySQL, and PHP & freely available (hackable) Packages Aonghus Sugrue 04 Oct 2012.

Configuring Drupal Information Systems 337 Prof. Harry Plantinga.

: Information Retrieval อาจารย์ ธีภากรณ์ นฤมาณนลิณี

CMS Showdown What Is A Content Management System (CMS)? CMS Website Content Outside Content Social Media Connections with CRM Programs Statistics and.

MESA A Simple Microarray Data Management Server. General MESA is a prototype web-based database solution for the massive amounts of initial data generated.

How to use Drupal Awdhesh Kumar (Team Leader) Presentation Topic.

7 Tips To Improve Your Website Security. Introduction Use of Content management systems like WordPress, Joomla & Drupal, utilization of various tools,

Fundamental of Databases

WordPress Introduction

Linux Security Presenter: Dolev Farhi |

WEB APPLICATION TESTING

Common Methods Used to Commit Computer Crimes

World Wide Web policy.

Penetration Test Debrief

Secure Software Confidentiality Integrity Data Security Authentication

Javad Jahdi Master: M.M.Nematollahi

Daniel Kouril, Ivo Nutar Masaryk University

PHP Training at GoLogica in Bangalore

PHP / MySQL Introduction

Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.

Easy Website Creation Using WordPress

Web Hacking: Beginners

Presentation transcript:

AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems

Greg Foss Senior Security Research Engineer Web Developer => Penetration Tester => Researcher Introduction

Content Management Systems

Image: Barcode-Scanner jpg

Drupal - [domain.com] inurl:changelog.txt

Joomla - [domain.com] inurl:htaccess.txt

WordPress - [domain.com] inurl:readme.html

Targeted Scanning - Joomla

Targeted Scanning - WordPress

# perl cms-explorer.pl --url --type [CMS] --osvdb # python BlindElephant.py [CMS] Intelligent Fingerprinting

Image:

GitHub Advanced Queries

hacking-for-fun-and-sensitive.html

Scrape Internal GitHub Deployment

Joomla – [docroot]/configuration.php

WordPress – [docroot]/wp-config.php

MySQL Creds Drupal Hash Salt Drupal [docroot]/sites/default/settings.php

Remediation

Already have server access? Drush available? Create a one-time link to log in as an admin… $ cd [drupal directory] $ drush uli Gaining Admin Access to Drupal…

Joomla – Password Reset Abuse

WordPress – Password Reset Abuse

Drupal – Password Reset Abuse

Not seen as a vuln by the Drupal Security Team Iterate through accounts View comments, posts, etc. Social features, forums, etc. Drupal User Enumeration

Automation

Image: illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html

Drupal - Single Account…

All the Accounts!

Brute Forcing w/ Burp works against WordPress too! Will not work against Joomla… – Joomla integrates a unique form token per login request, which is actually verified at the server (unlike Drupal’s form token) – Brute forcing can be scripted but will be slow… Joomla & WordPress

New Security Controls in Drupal 7… Even better in Drupal 8! Uh Oh…

Change it up!

Just Be Careful…

‘Mitigation’

Configure Appropriately

Image: a85dcdae970b016301e98de2970d-800wi.png Session Handling

Missing Updates? Drupal WordPress Joomla

Drupal: – – Joomla!: – – WordPress: – – Update Notifications

Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table. Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor. Drupal Application Logging

Nothing built in… Need to use a plugin which stores logs to a database table WordPress Application Logging

Must be configured manually within Joomla’s configuration and is not enabled by default. Flat file logging can be set up using Jlog s03.html s03.html Joomla Application Logging

Authorization Image: ntent/images/uploads/2012/02/ 6a0120a85dcdae970b016301e9 8de2970d-800wi.png

Persistent XSS

Reflected XSS

Unrestricted File Uploads

Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November Code execution prevention (Files directory.htaccess for Apache - Drupal 6 and 7) Not exactly… :-) Drupal File Upload Vuln Fixed?

Modules that assist with the active development of a Drupal application. Excellent for Development Remove prior to Test / Staging – Never leave installed on Production applications Picking on… – Devel — Development Modules

Module used for development Should never be installed on production, ever… Allows users to view debugging information, including full database details of application content. Also allows for PHP code execution! Devel

Password Hash Disclosure

Automated Hash Extraction

WordPress # hashcat -m 400 -a 0 -o wp.txt wphash.txt rock.dict Joomla # hashcat -m 11 -a 0 -o joomla.txt jhash.txt rock.dict Cracking WordPress & Joomla Hashes

Drupal 7 # john dhash.txt --wordlist=“rockyou.txt” --salt=“ ” -- format=“drupal7” Drupal 6 # john dhash.txt --wordlist=“rockyou.txt” OR # hashcat –m 0 -a 0 -o drupal.txt dhash.txt rock.dict Cracking Drupal Hashes

PHP Code Execution

I <3 Shells…

Demonstration Image: eqj__pony_avatar_creator_demo_by_lexuzieel-d4vx715.png

Pen Test your applications, don’t just scan… Update early and often! Leverage assistance from external entities Embed security with development from the beginning. Download scripts to augment the penetration testing process of Drupal applications: – Closing Thoughts

Target: XXX.XXX.XXX.XXX Hands On Exercise Time!

Questions? Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer Thank You!