Slide 1

Slide 1 text

Wordpress Security By Tuhin Bose

Slide 2

Slide 2 text

Who am I?

Slide 3

Slide 3 text

Conclusion & QNA Conclusion & QNA What is Wordpress? What is Wordpress? Why Wordpress? Why Wordpress? Hacking Wordpress Hacking Wordpress AGENDA Security Measures Security Measures

Slide 4

Slide 4 text

What is Wordpress?

Slide 5

Slide 5 text

Free and Open Source CMS Use to create a beautiful website Written in PHP and paired with a MySQL or MariaDB database. Simple, Flexible, User Management, Easy to setup and upgrade

Slide 6

Slide 6 text

Why Wordpress?

Slide 7

Slide 7 text

As of 2021, there are about 1.3 billion total websites on the web. More than 455 million sites use WordPress. Bunch of themes and plugins. Lack of awareness. Vulnerable by default. 1. 2. 3. 4.

Slide 8

Slide 8 text

Hacking Wordpress

Slide 9

Slide 9 text

Detection Wappalyzer

Slide 10

Slide 10 text

Default Credentials Administrator Editor: Publish and manages his and others posts. Author: Publish and manage his own posts. Contributor: Write and manage his posts but cannot publish them. Subscriber: Browse posts and edit their profile. User Permissions: 1. 2. 3. 4. 5.

Slide 11

Slide 11 text

Default Credentials Login page: /wp-login.php Try default credentials: admin:admin admin:password guest:guest ...

Slide 12

Slide 12 text

xmlrpc.php Location: /xmlrpc.php XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Let's say you want to post to your website from your mobile device. You could use the remote access feature enabled by xmlrpc.php to do just that. We'll try to achieve SSRF and Bruteforce.

Slide 13

Slide 13 text

xmlrpc.php List methods: system.listMethods We're interested in pingback.ping & wp.getUsersBlogs

Slide 14

Slide 14 text

xmlrpc.php SSRF using pingback.ping: pingback.ping http://xyz.burp.net:80 http://target.com/

Slide 15

Slide 15 text

xmlrpc.php Brute Force using wp.getUsersBlogs: wp.getUsersBlogs admin pass

Slide 16

Slide 16 text

Denial of Service (DoS) /wp-cron.php When this file is accessed, a heavy MySQL query is performed, so it could be used by attackers to cause a DoS. By default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).

Slide 17

Slide 17 text

Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200 OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'

Slide 18

Slide 18 text

Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200 OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'

Slide 19

Slide 19 text

Denial of Service (DoS) CVE-2018-6389 WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://example.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery- ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file. However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks. For example, if you use the below payload then it'll cause 4.11 Mb of data to be transferred b/w the server and the user. So if the attacker sends 10,000 requests then it would result in transferring 41100 Mb (42Gb) from the server to the user which would cause a Denial of Service attack to the server.

Slide 20

Slide 20 text

Denial of Service (DoS) Payload: https://pastebin.com/hATmX1pk Exploitation: Use doser.py

Slide 21

Slide 21 text

Automation WPScan/CMSmap CMSmap: CMSmap is a Python open source CMS scanner that automates the method of detecting security flaws of the foremost popular CMSs. The main purpose of this tool is to integrate common vulnerabilities for different types of CMSs into a single tool. cmsmap https://example.com

Slide 22

Slide 22 text

Automation WPScan/CMSmap WPScan: WPScan is a WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.

Slide 23

Slide 23 text

Automation WPScan - Getting API Token

Slide 24

Slide 24 text

Automation Basic Scan: wpscan --url https://target.com/ Detect All Themes: wpscan --url https://target.com/ -e at Detect All Plugins: wpscan --url https://target.com/ -e ap Detect Vulnerable Themes: wpscan --url https://target.com/ -e vt --api-token Detect Vulnerable Plugins: wpscan --url https://target.com/ -e vp --api-token

Slide 25

Slide 25 text

Time for Practical stuffs

Slide 26

Slide 26 text

Security Measures

Slide 27

Slide 27 text

Disable xmlrpc manually or using some plugin. Disable wp-cron by updating wp-config.php: define('DISABLE_WP_CRON', true); Protect from CVE-2018-6389 by modifying .htaccess: 1. 2. and configure a regular system cronjob. 1. Order allow, deny Deny from all 4. Update wordpress core, themes and plugins time to time. 5. Hide the detault login page/allow from few ip addresses. 6. Use reCAPTCHA on sensitive actions. 7. Always take a backup of your site. 8. Use a strong password and enable 2fa on every accounts. Security Measures

Slide 28

Slide 28 text

Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You! Thank You! Thank You!