Category: CMS hacking

Posted on by

Hacking WordPress with Revslider Exploit

Hello aspiring hackers. In this howto we will learn about hacking wordpress with Revslider plugin exploit. This howto is a direct sequel to our previous howto  WordPress vulnerability assessment with WPscan, so I suggest you go through that how to first and look out for the Easter eggs. This howto is based on one of the vulnerabilities we found in our previous howto.

To those newbies, who don’t know what is revolution slider,  it is a popular plugin used by many wordpress websites. Well, I am sure you have heard about Panama papers leak. Yeah, I’m talking about the leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. It has been identified that Mossack Fonseca was using a vulnerable version of WordPress revslider plugin which resulted in the hack. All versions of the plugin from 2.1.7 to 3.0.95 are vulnerable to the attack.

This exploit was made public last year but still there are many wordpress websites using the vulnerable plugin( as with the case of Mossack fonseca ). Now let us see how this exploit works in Metasploit. Start Metasploit and search for our exploit as shown below.

Load the exploit as shown below.

Set the required options as shown below.

Set the required payload. Here for illustration I am setting the famous meterpreter payload.

You can also check if your target is vulnerable by using “check” command as shown below.( But we already know our target is vulnerable).

You can execute the exploit by typing “exploit”. If all went well, you will get the meterpreter shell on victim system.

That was all about hacking wordpress with Revslider plugin exploit.

Posted on by 4 Comments

WordPress vulnerability assessment with WPscan

Good Evening friends. Hope you’re fine. After focusing on Joomla for some time, with this howto I have decided to focus on another popular CMS, that is WordPress. This howto is a pre-prequel to one of my articles on how to hack wordpress right here. This howto will have two other sequels and watch out for some easter eggs in this howto. ( Mind my talk about sequels, prequels and easter eggs, but did I tell you I am a big Marvel fan). Ok, ok, ok. Now let’s begin. The tool we will use here is called WPscan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. It is by default installed in Kali Linux Sana. Now open a terminal and update our tool by typing command as shown below.

To scan a wordpress website, you have to give the url as shown below. For this howto, I am using a local installation of wordpress as target.  Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. . As you can see we have  13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a wordpress site is to exploit the plugins installed in the target as most of the wordpress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our wordpress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable and we have seen how to exploit this vulnerability in the sequel I told you about. If you haven’t gone through it, it’s here.

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next howto.

Another important aspect to find vulnerabilities in the wordpress is its theme.  Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.

Posted on by

Joomscan : Vulnerability assessment of Joomla

Joomla is one of the most popular  CMS which is widely used for its flexibility, user-friendliness and extensibility. The downside of  popularity in software world is that it becomes a target for hackers.  We have just recently seen how to exploit some recent vulnerabilities in Joomla. It would be pretty helpful if the users or testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them. Joomscan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Joomscan has features like

Exact version Probing
Common Joomla! based web application firewall detection
Searching known vulnerabilities of Joomla! and its components
Reporting to Text & HTML output
Immediate update capability via scanner or svn.

Joomscan is installed by default in Kali Linux. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

At the end, it will show us the number of vulnerabilities present in our target.

We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target.