AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems
Greg Foss Senior Security Research Engineer Web Developer => Penetration Tester => Researcher Introduction
Content Management Systems
Image: Barcode-Scanner jpg
Drupal - [domain.com] inurl:changelog.txt
Joomla - [domain.com] inurl:htaccess.txt
WordPress - [domain.com] inurl:readme.html
Targeted Scanning - Joomla
Targeted Scanning - WordPress
# perl cms-explorer.pl --url --type [CMS] --osvdb # python BlindElephant.py [CMS] Intelligent Fingerprinting
Image:
GitHub Advanced Queries
hacking-for-fun-and-sensitive.html
Scrape Internal GitHub Deployment
Joomla – [docroot]/configuration.php
WordPress – [docroot]/wp-config.php
MySQL Creds Drupal Hash Salt Drupal [docroot]/sites/default/settings.php
Remediation
Already have server access? Drush available? Create a one-time link to log in as an admin… $ cd [drupal directory] $ drush uli Gaining Admin Access to Drupal…
Joomla – Password Reset Abuse
WordPress – Password Reset Abuse
Drupal – Password Reset Abuse
Not seen as a vuln by the Drupal Security Team Iterate through accounts View comments, posts, etc. Social features, forums, etc. Drupal User Enumeration
Automation
Image: illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html
Drupal - Single Account…
All the Accounts!
Brute Forcing w/ Burp works against WordPress too! Will not work against Joomla… – Joomla integrates a unique form token per login request, which is actually verified at the server (unlike Drupal’s form token) – Brute forcing can be scripted but will be slow… Joomla & WordPress
New Security Controls in Drupal 7… Even better in Drupal 8! Uh Oh…
Change it up!
Just Be Careful…
‘Mitigation’
Configure Appropriately
Image: a85dcdae970b016301e98de2970d-800wi.png Session Handling
Missing Updates? Drupal WordPress Joomla
Drupal: – – Joomla!: – – WordPress: – – Update Notifications
Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table. Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor. Drupal Application Logging
Nothing built in… Need to use a plugin which stores logs to a database table WordPress Application Logging
Must be configured manually within Joomla’s configuration and is not enabled by default. Flat file logging can be set up using Jlog s03.html s03.html Joomla Application Logging
Authorization Image: ntent/images/uploads/2012/02/ 6a0120a85dcdae970b016301e9 8de2970d-800wi.png
Persistent XSS
Reflected XSS
Unrestricted File Uploads
Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November Code execution prevention (Files directory.htaccess for Apache - Drupal 6 and 7) Not exactly… :-) Drupal File Upload Vuln Fixed?
Modules that assist with the active development of a Drupal application. Excellent for Development Remove prior to Test / Staging – Never leave installed on Production applications Picking on… – Devel — Development Modules
Module used for development Should never be installed on production, ever… Allows users to view debugging information, including full database details of application content. Also allows for PHP code execution! Devel
Password Hash Disclosure
Automated Hash Extraction
WordPress # hashcat -m 400 -a 0 -o wp.txt wphash.txt rock.dict Joomla # hashcat -m 11 -a 0 -o joomla.txt jhash.txt rock.dict Cracking WordPress & Joomla Hashes
Drupal 7 # john dhash.txt --wordlist=“rockyou.txt” --salt=“ ” -- format=“drupal7” Drupal 6 # john dhash.txt --wordlist=“rockyou.txt” OR # hashcat –m 0 -a 0 -o drupal.txt dhash.txt rock.dict Cracking Drupal Hashes
PHP Code Execution
I <3 Shells…
Demonstration Image: eqj__pony_avatar_creator_demo_by_lexuzieel-d4vx715.png
Pen Test your applications, don’t just scan… Update early and often! Leverage assistance from external entities Embed security with development from the beginning. Download scripts to augment the penetration testing process of Drupal applications: – Closing Thoughts
Target: XXX.XXX.XXX.XXX Hands On Exercise Time!
Questions? Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer Thank You!