cms hacking tricks - derbycon 4 - 2014
DESCRIPTION
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.TRANSCRIPT
CMS Hacking Tricks!Owning Content Management Systems
!!
Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH!Senior Security Research Engineer | LogRhythm Labs
Just a Few Content Management Systems
Security?
Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg
Joomla - Targeted Scanning
http://sourceforge.net/projects/joomscan/
Intelligent Fingerprinting
• https://code.google.com/p/cms-explorer/
# perl cms-‐explorer.pl -‐-‐url http://some.cms.org -‐-‐type [CMS] -‐-‐osvdb !
• http://blindelephant.sourceforge.net/
# python BlindElephant.py http://some.cms.org [CMS]
http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html
Scrape Internal GitHub
Joomla [docroot]/configuration.php
WordPress [docroot]/wp-config.php
Drupal [docroot]/sites/default/settings.php
MySQL Creds…
Drupal Hash Salt…
Remediation…
Gaining Admin Access to Drupal
Already have server access? !Drush available? !Create a one-time link to log in as an admin… !$ cd [drupal directory] $ drush uli
Joomla Password Reset Abuse
WordPress Password Reset Abuse
Drupal Password Reset Abuse
Drupal Password Reset Abuse
User Enumeration is EZ
Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html
Single Account…
All the Accounts!
Joomla & WordPress• Brute Forcing w/ Burp works against WordPress
too!
• Will not work against Joomla…
• Joomla integrates a unique form token per login request, which is actually verified by the server (unlike Drupal’s form token) :-P
• Brute forcing can be scripted but will be slow…
Uh OhNew Security Controls in Drupal 7…
Even better in Drupal 8!
Change it up…
Just Be Careful…
‘Mitigation’
Configure Appropriately
Session Handling
Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png
Missing Updates• Drupal
!
!
• WordPress
!
• Joomla
Update Notifications• Drupal!
• http://lists.drupal.org/mailman/listinfo/security-news
• https://drupal.org/security/rss.xml
• Joomla!
• http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
• https://watchful.li/features/
• WordPress!
• https://wordpress.org/plugins/wp-updates-notifier/
• http://codex.wordpress.org/Mailing_Lists#Announcements
Application Logging
• CMS logs should be captured and stored outside of the database to ensure log integrity.
!
• SIEM – Security Information Event Management
• Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table.
• Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor.
Drupal Application Logging
• Nothing built in… Need to use a plugin which stores security logs to a database table
• https://wordpress.org/plugins/wp-security-audit-log/
WordPress Application Logging
• Must be configured manually within Joomla’s configuration and is not enabled by default.
!
• Flat file logging can be set up using JLog!
!
• http://developer.joomla.org/manual/ch02s05s03.html
Joomla Application Logging
Authorization
• What are users allowed to do within comment fields? !
• New filtered HTML tags?
• Full HTML Enabled?
Image: http://musformation.com/pics/trust-but-verify.jpg
Unrestricted File Uploads
Drupal File Upload Vuln Fixed?• Uploading and executing PHP code has been ‘fixed’
in recent versions of Drupal as of November 2013
• https://drupal.org/SA-CORE-2013-003
• Code execution prevention
• (Files directory .htaccess for Apache - Drupal 6 and 7)
• Not exactly… <evil> :-) </evil>
• Drupal 8 Fix? - https://www.drupal.org/node/1587270
Insecure WordPress Plugins• TimThumb - Popular and common plugin!
• v 2.8.13 WebShot Remote Code Execution
• http://www.exploit-db.com/exploits/33851/
Insecure Joomla Extensions• Quite a few… Most interesting is a SQLi in Core
• We’ll Look into this later…
Drupal Development Modules
• Modules that assist with active development
• Remove prior to Test / Staging
• Never leave installed on Production applications
• Picking on…
• Devel — https://drupal.org/project/devel
• Masquerade – https://www.drupal.org/project/masquerade
Drupal - Masquerade• Allows you to change accounts to any other user
Devel• Module used for development
• Should never be installed on production, ever…
• Allows users to view debugging information, including full database details of application content.
• Also allows for PHP code execution!
Password Hash Disclosure
Automated Hash Extraction
Cracking Drupal Hashes• Drupal 7!
# john d.hash –wordlist=“rockyou.txt” –salt=“TPcVtqQcs37Q69hDTViwiFiHqUV41tyAd3LnnjmNrbA” –format=“drupal7”
• Drupal 6!
# john d.hash –wordlist=“rockyou.txt”
OR
# hashcat -‐m -‐0 -‐a 0 -‐o d.txt d.hash rock.dict
Cracking WordPress & Joomla Hashes
• WordPress!
# hashcat -‐m 400 -‐a 0 -‐o wp.txt wp.hash rock.dict
• Joomla!
# hashcat -‐m 11 -‐a 0 -‐o j.txt j.hash rock.dict
PHP Code Execution
I <3 Shells
< DEMO >
Closing Thoughts…• Do your research to better understand your organizational
architecture, servers, applications, log data, etc.
• Pen Test your applications, don’t just scan…
• Update early and often!
• Embed security with development from the beginning.
• Download scripts to augment the penetration testing process of Drupal applications:
• https://github.com/gfoss/attacking-drupal/
Thank You!
Questions?!
https://github.com/gfoss/attacking-drupal/ !
Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEHSenior Security Research Engineer
greg.foss[at]LogRhythm.com @heinzarelli