Hello aspiring hackers. In this howto we will learn about WordPress Mobile Detector Plugin upload and execute module .WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. It is very popular not only for the ease with which a website can be set up using it, but also how simply multiple plugins and themes can be added in it to give extended functionality without much hassle. But these plugins can pose a high security risk if not properly coded.
One such plugin is WordPress Mobile Detector. This plugin is used to display content on WordPress sites in a format suitable for phones and tablet devices. This plugin is used mostly by business users. Version 3.5 of this plugin is affected with file upload vulnerability. A hacker can upload malicious arbitrary files and execute them.
Let us see how this module works. Load the module and check the options it requires as shown below.
The options this module requires are the remote host address (target address), the targeturi and the local host address (IP address of Kali Linux). The only thing that can go wrong in setting options is that of targeturi, the location where WordPress is installed. If you set it wrong, this module may not work. Check if the target is indeed running the vulnerable version of the plugin using the “check” command.
Execute the modue using the “run” command. If everything went well, you should get a meterpreter shell on the target machine as shown below. You can see in the image below as to how this exploit works. This vulnerability is an arbitrary file upload vulnerability which allows hackers to upload any file into the target web server So this module first creates a malicious file, hosts it on a web server and uploads it into the target web server using this vulnerability.
We will be back with a new exploit next time. Until then, Goodbye.
Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.
Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.
The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password.
The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file. When we execute the module, we can see that it will first validate all the usernames.
What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.
When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.
After some time we can see that we successfully cracked the password for user “root” as “123456”.
HOW TO STAY SAFE:
Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.
WordPress is one of the most popular CMS available for websites. It can be used to create a beautiful website, blog, or app. As its developers say, “WordPress is both free and priceless at the same time”. Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. The latest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.
Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.
Start Metasploit and load the module. Type command “show options” to see the options we required for this module.
Multiple IP addresses can be set as shown below. I am trying five targets.
After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.
By the way, version 4.1 suffers from a arbitrary file upload vulnerability.
Good Evening friends. This howto is a direct sequel to our previous howto WordPress vulnerability assessment with WPscan, so I suggest you go through that howto first and look out for the easter eggs. This howto is based on one of the vulnerabilities we found in our previous howto. To those newbies, who don’t know what is revolution slider, it is a popular plugin used by many wordpress websites. Well, I am sure you have heard about Panama papers leak. Yeah, I’m talking about the leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. It has been identified that Mossack Fonseca was using a vulnerable version of WordPress revslider plugin which resulted in the hack. All versions of the plugin from 2.1.7 to 3.0.95 are vulnerable to the attack.
This exploit was made public last year but still there are many wordpress websites using the vulnerable plugin( as with the case of Mossack fonseca ). Now let us see how this exploit works in Metasploit. Start Metasploit and search for our exploit as shown below.
Load the exploit as shown below.
Set the required options as shown below.
Set the required payload. Here for illustration I am setting the famous meterpreter payload.
You can also check if your target is vulnerable by using “check” command as shown below.( But we already know our target is vulnerable).
You can execute the exploit by typing “exploit”. If all went well, you will get the meterpreter shell on victim system.
Good Evening friends. Hope you’re fine. After focusing on Joomla for some time, with this howto I have decided to focus on another popular CMS, that is WordPress. This howto is a pre-prequel to one of my articles on how to hack wordpress right here. This howto will have two other sequels and watch out for some easter eggs in this howto. ( Mind my talk about sequels,prequels and easter eggs, but did I tell you I am a big Marvel fan). Ok, ok, ok. Now let’s begin. The tool we will use here is called WPscan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. It is by default installed in Kali Linux Sana. Now open a terminal and update our tool by typing command as shown below.
To scan a wordpress website, you have to give the url as shown below. For this howto, I am using a local installation of wordpress as target. Assign the target as shown below. The scan will start as shown below.
Here are the screenshots of result of this scan. . As you can see we have 13 vulnerabilities in the present installation and the vulnerabilities are given below.
One of the easiest ways to hack a wordpress site is to exploit the plugins installed in the target as most of the wordpress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our wordpress target. We can enumerate the plugins using the “enumerate” option as shown below.
The scan result will be as shown below.( And there you have the first easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable and we have seen how to exploit this vulnerability in the sequel I told you about. If you haven’t gone through it, it’s here.
The second plugin is the vulnerable version of Akismet.
The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next howto.
Another important aspect to find vulnerabilities in the wordpress is its theme. Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.
After that let’s enumerate the users in our remote target as shown below.
We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.