1. AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems

2. Greg Foss Senior Security Research Engineer Web Developer => Penetration Tester => Researcher Introduction

3. Content Management Systems

4. Image: http://www.emerce.nl/content/uploads/2012/10/Monkey- Barcode-Scanner-88205.jpg

5. Drupal - [domain.com] inurl:changelog.txt

6. Joomla - [domain.com] inurl:htaccess.txt

7. WordPress - [domain.com] inurl:readme.html

8. Targeted Scanning - Joomla http://sourceforge.net/projects/joomscan/

9. Targeted Scanning - WordPress http://wpscan.org/

10. https://code.google.com/p/cms-explorer/ # perl cms-explorer.pl --url http://some.cms.org/ --type [CMS] --osvdb http://blindelephant.sourceforge.net/ # python BlindElephant.py http://some.cms.org/ [CMS] Intelligent Fingerprinting

11. Image: http://is1103.com/2013/10-October/source.png

12. GitHub Advanced Queries

13. http://blog.conviso.com.br/2013/06/github- hacking-for-fun-and-sensitive.html

14. Scrape Internal GitHub Deployment

15. Joomla – [docroot]/configuration.php

16. WordPress – [docroot]/wp-config.php

17. MySQL Creds Drupal Hash Salt Drupal [docroot]/sites/default/settings.php

18. Remediation

19. Already have server access? Drush available? Create a one-time link to log in as an admin… $ cd [drupal directory] $ drush uli Gaining Admin Access to Drupal…

21. Joomla – Password Reset Abuse

22. WordPress – Password Reset Abuse

23. Drupal – Password Reset Abuse

24. Not seen as a vuln by the Drupal Security Team Iterate through accounts View comments, posts, etc. Social features, forums, etc. Drupal User Enumeration

25. Automation

26. Image: http://security-is-just-an- illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html

27. Drupal - Single Account…

28. All the Accounts!

29. Brute Forcing w/ Burp works against WordPress too! Will not work against Joomla… – Joomla integrates a unique form token per login request, which is actually verified at the server (unlike Drupal’s form token) – Brute forcing can be scripted but will be slow… Joomla & WordPress

30. New Security Controls in Drupal 7… Even better in Drupal 8! Uh Oh…

31. Change it up!

32. Just Be Careful…

33. ‘Mitigation’

34. Configure Appropriately

35. Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120 a85dcdae970b016301e98de2970d-800wi.png Session Handling

36. Missing Updates? Drupal WordPress Joomla

37. Drupal: – http://lists.drupal.org/mailman/listinfo/security-news http://lists.drupal.org/mailman/listinfo/security-news – https://drupal.org/security/rss.xml https://drupal.org/security/rss.xml Joomla!: – http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions – https://watchful.li/features/ https://watchful.li/features/ WordPress: – https://wordpress.org/plugins/wp-updates-notifier/ https://wordpress.org/plugins/wp-updates-notifier/ – http://codex.wordpress.org/Mailing_Lists#Announcements http://codex.wordpress.org/Mailing_Lists#Announcements Update Notifications

38. Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table. Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor. Drupal Application Logging

39. Nothing built in… Need to use a plugin which stores logs to a database table https://wordpress.org/plugins/wp-security-audit-log/ WordPress Application Logging

40. Must be configured manually within Joomla’s configuration and is not enabled by default. Flat file logging can be set up using Jlog http://developer.joomla.org/manual/ch02s05 s03.html http://developer.joomla.org/manual/ch02s05 s03.html Joomla Application Logging

41. Authorization Image: http://blog.codinghorror.com/co ntent/images/uploads/2012/02/ 6a0120a85dcdae970b016301e9 8de2970d-800wi.png

42. Persistent XSS

43. Reflected XSS

44. Unrestricted File Uploads

46. Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November 2013 https://drupal.org/SA-CORE-2013-003 Code execution prevention (Files directory.htaccess for Apache - Drupal 6 and 7) Not exactly… :-) Drupal File Upload Vuln Fixed?

47. Modules that assist with the active development of a Drupal application. Excellent for Development Remove prior to Test / Staging – Never leave installed on Production applications Picking on… – Devel — https://drupal.org/project/develhttps://drupal.org/project/devel Development Modules

48. Module used for development Should never be installed on production, ever… Allows users to view debugging information, including full database details of application content. Also allows for PHP code execution! Devel

49. Password Hash Disclosure

50. Automated Hash Extraction

52. WordPress # hashcat -m 400 -a 0 -o wp.txt wphash.txt rock.dict Joomla # hashcat -m 11 -a 0 -o joomla.txt jhash.txt rock.dict Cracking WordPress & Joomla Hashes

53. Drupal 7 # john dhash.txt --wordlist=“rockyou.txt” --salt=“ ” -- format=“drupal7” Drupal 6 # john dhash.txt --wordlist=“rockyou.txt” OR # hashcat –m 0 -a 0 -o drupal.txt dhash.txt rock.dict Cracking Drupal Hashes

55. PHP Code Execution

56. I <3 Shells…

57. Demonstration Image: http://fc01.deviantart.net/fs71/i/2014/040/2/3/_outdated__move_to_ eqj__pony_avatar_creator_demo_by_lexuzieel-d4vx715.png

58. Pen Test your applications, don’t just scan… Update early and often! Leverage assistance from external entities Embed security with development from the beginning. Download scripts to augment the penetration testing process of Drupal applications: – https://github.com/gfoss/attacking-drupal/ https://github.com/gfoss/attacking-drupal/ Closing Thoughts

59. Target: XXX.XXX.XXX.XXX Hands On Exercise Time!

60. Questions? https://github.com/gfoss/attacking-drupal/ Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer greg.foss[at]LogRhythm.com @heinzarelli Thank You!