Web App Hacking, Part 4: Finding Vulnerabilities in WordPress Sites

Hacking

WordPress is the most ubiquitous of the Content Management Systems for building websites. According to WordPress, this CMS is used in 27% of the top 10 million websites! That gives us lots of fertile ground to cultivate in our hacking adventures!

Built on PHP, Apache and MySQL, it provides developers a simple and easy to use a framework for developing dynamic websites. Unfortunately, these technologies have been riddled with vulnerabilities. In addition, WordPress enables the developer to plugin a wide range of plugins and very often, it is these plugins that are most vulnerable. In recent days, there have been over a million WordPress sites defaced according to reliable news reports.

In this tutorial, I want to demonstrate a few quick and easy ways to find vulnerabilities in WordPress websites that may lead to later exploitation and defacement.

Usually, I am reluctant to demonstrate hacking techniques on your your average Mom and Pop website. They know little about building websites and even less about IT security. On the other hand, I feel that anyone with a IT security or hacking web site is “fair game” as they are advertising themselves as hacking and IT security experts. so that’s where I will focus my efforts here.

Finding WordPress Sites

In an earlier article here, I demonstrated how to find WordPress sites. There are numerous ways, including a Mozilla and Chrome plugin, but I really like Google hacking to find them. In this case, we want to find WordPress sites by looking for;

“index of” inurl:wp-content

This should find many of the WordPress web sites. If we wanted to find WordPress sites advertising themselves as for hacking and hackers, we could append this Google dork with;

intitle:”hacking”

Let’s try to find some WordPress sites advertising themselves as hackers.

“index of” inurl:wp-content intitle:”hacking”

As you can see, 123 sites were found by Google that use WordPress and have hacking in their title. Let’s see how secure these “hacker” sites are.

Finding WordPress Vulnerabilities with wpscan

Now, let’s use a great tool specifically for finding vulnerabilities in WordPress sites, wpscan. It’s built into Kali, so need to download or install anything. Fire up Kali, open a terminal and enter;

kali > wpscan –help

Although wpscan is a powerful tool with many options, let’s use it in its simplest form as a non-intrusive vulnerabilities scanner. As you can see above, the syntax is simple;

wpscan –url <URL>

Lets try it against our “hacker” friends’ websites.

Let’s begin with www. kryptostechnology.com

kali > wpscan -url www.kryptostechnology.com

Wpscan begins its scan and immediately finds two interesting directories, /wp-content/uploads and /wp-includes as seen below (see the WordPress directory structure at the bottom of this article).

It continues next to the vulnerability scan and finds that the plugin buddypress has been used in this site. Unfortunately, it could not determine the version, so it lists all the known vulnerabilities in buddypress.

Remember above where wpscan found two interesting directories? Let’s take a look at those (for a diagram of the WordPress directory structure navigate to the bottom of this article). Let’s navigate to;

https://kryptostechnology.com/wp-content/uploads

As you can see, the uploads directory is exposed to anyone who knows it is there. Not a good idea and a significant security risk!

Next, let’s look at the wp-includes directory.

https://kryptostechnology.com/wp-includes

As you can see here, the wp-includes is available to anyone who accesses that directory within WordPress site. Note about a third of the way down the page, the site’s certificates are available to anyone who wants to download them.

Next, let’s try another site on our list, www.maherhackers.com. These guys advertise themselves as “real hackers”.

kali > wpscan –url www.maherhackers.com

wpscan begins its scan and finds several interesting directories including the readme file. This file provides definitive proof of the version of WordPress making it easier to find known vulnerabilities. In this case, it indicates version 4.7 which still contains multiple known vulnerabilities.

Our scanner then proceeds to list all the known vulnerabilities against this version of WordPress. Some of these are very serious, such as CVE 2016-10045 Remote Code Execution.

Now that wpscan has completed its work, let’s go and see if we can find that readme file that wpscan indicated is exposed. Let’s navigate to;

https://maherhackers.com/readme.html

As you can see, these hackers left their readme file exposed!

No malicious intent was intended in these two scans and I did it for strictly for educational purposes. Hopefully, when the owners of these two websites see this article, they will improve the security of their web site before going on to help others and world will be a safer place.

Conclusion

With WordPress sites comprising 2.7 million of the top 10 million websites, they provide significant fodder for web app hacking. wpscan is an excellent tool to test whether potential vulnerabilities exist, as well as enumerating any plugins that also might be vulnerable.

WordPress Directory Structure