Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

CMS Hacking Tricks - DerbyCon 4 - 2014

2.198 Aufrufe

Veröffentlicht am

Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

CMS Hacking Tricks - DerbyCon 4 - 2014

  1. 1. CMS Hacking Tricks! Owning Content Management Systems ! ! Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH! Senior Security Research Engineer | LogRhythm Labs
  2. 2. Just a Few Content Management Systems
  3. 3. Security?
  4. 4. Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg
  5. 5. Drupal - https://site.com/CHANGELOG.txt
  6. 6. Drupal - https://site.com/CHANGELOG.txt
  7. 7. Joomla - https://site.com/htaccess.txt
  8. 8. WordPress - https://site.com/readme.html
  9. 9. WordPress - https://site.com/readme.html
  10. 10. WordPress - https://site.com/readme.html
  11. 11. Joomla - Targeted Scanning http://sourceforge.net/projects/joomscan/
  12. 12. WordPress - Targeted Scanning http://wpscan.org
  13. 13. Intelligent Fingerprinting • https://code.google.com/p/cms-explorer/ # perl cms-­‐explorer.pl -­‐-­‐url http://some.cms.org -­‐-­‐ type [CMS] -­‐-­‐osvdb ! • http://blindelephant.sourceforge.net/ # python BlindElephant.py http://some.cms.org [CMS]
  14. 14. Image: http://is1103.com/2013/10-October/source.png
  15. 15. http://blog.conviso.com.br/2013/06/ github-hacking-for-fun-and-sensitive.html
  16. 16. Scrape Internal GitHub
  17. 17. Joomla [docroot]/configuration.php
  18. 18. WordPress [docroot]/wp-config.php
  19. 19. Drupal [docroot]/sites/default/settings.php MySQL Creds… Drupal Hash Salt…
  20. 20. Remediation…
  21. 21. Gaining Admin Access to Drupal Already have server access? ! Drush available? ! Create a one-time link to log in as an admin… ! $ cd [drupal directory] $ drush uli
  22. 22. Joomla Password Reset Abuse
  23. 23. WordPress Password Reset Abuse
  24. 24. Drupal Password Reset Abuse
  25. 25. Drupal Password Reset Abuse
  26. 26. User Enumeration is EZ
  27. 27. Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html
  28. 28. Single Account…
  29. 29. All the Accounts!
  30. 30. Joomla & WordPress • Brute Forcing w/ Burp works against WordPress too! • Will not work against Joomla… • Joomla integrates a unique form token per login request, which is actually verified by the server (unlike Drupal’s form token) :-P • Brute forcing can be scripted but will be slow…
  31. 31. Uh Oh New Security Controls in Drupal 7… Even better in Drupal 8!
  32. 32. Change it up…
  33. 33. Just Be Careful…
  34. 34. ‘Mitigation’
  35. 35. Configure Appropriately
  36. 36. Session Handling Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png
  37. 37. Missing Updates • Drupal ! ! • WordPress ! • Joomla
  38. 38. Update Notifications • Drupal! • http://lists.drupal.org/mailman/listinfo/security-news • https://drupal.org/security/rss.xml • Joomla! • http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions • https://watchful.li/features/ • WordPress! • https://wordpress.org/plugins/wp-updates-notifier/ • http://codex.wordpress.org/Mailing_Lists#Announcements
  39. 39. Application Logging • CMS logs should be captured and stored outside of the database to ensure log integrity. ! • SIEM – Security Information Event Management
  40. 40. Drupal Application Logging • Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table. • Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor.
  41. 41. WordPress Application Logging • Nothing built in… Need to use a plugin which stores security logs to a database table • https://wordpress.org/plugins/wp-security-audit-log/
  42. 42. Joomla Application Logging • Must be configured manually within Joomla’s configuration and is not enabled by default. ! • Flat file logging can be set up using JLog! ! • http://developer.joomla.org/manual/ ch02s05s03.html
  43. 43. Authorization • What are users allowed to do within comment fields? ! • New filtered HTML tags? • Full HTML Enabled? Image: http://musformation.com/pics/trust-but-verify.jpg
  44. 44. Unrestricted File Uploads
  45. 45. Drupal File Upload Vuln Fixed? • Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November 2013 • https://drupal.org/SA-CORE-2013-003 • Code execution prevention • (Files directory .htaccess for Apache - Drupal 6 and 7) • Not exactly… <evil> :-) </evil> • Drupal 8 Fix? - https://www.drupal.org/node/1587270
  46. 46. Insecure WordPress Plugins • TimThumb - Popular and common plugin! • v 2.8.13 WebShot Remote Code Execution • http://www.exploit-db.com/exploits/33851/
  47. 47. Insecure Joomla Extensions • Quite a few… Most interesting is a SQLi in Core • We’ll Look into this later…
  48. 48. Drupal Development Modules • Modules that assist with active development • Remove prior to Test / Staging • Never leave installed on Production applications • Picking on… • Devel — https://drupal.org/project/devel • Masquerade – https://www.drupal.org/project/ masquerade
  49. 49. Drupal - Masquerade • Allows you to change accounts to any other user
  50. 50. Devel • Module used for development • Should never be installed on production, ever… • Allows users to view debugging information, including full database details of application content. • Also allows for PHP code execution!
  51. 51. Password Hash Disclosure
  52. 52. Automated Hash Extraction
  53. 53. Cracking Drupal Hashes • Drupal 7! # john d.hash –wordlist=“rockyou.txt” – salt=“TPcVtqQcs37Q69hDTViwiFiHqUV41tyAd3LnnjmNrbA” – format=“drupal7” • Drupal 6! # john d.hash –wordlist=“rockyou.txt” OR # hashcat -­‐m -­‐0 -­‐a 0 -­‐o d.txt d.hash rock.dict
  54. 54. Cracking WordPress & Joomla Hashes • WordPress! # hashcat -­‐m 400 -­‐a 0 -­‐o wp.txt wp.hash rock.dict • Joomla! # hashcat -­‐m 11 -­‐a 0 -­‐o j.txt j.hash rock.dict
  55. 55. PHP Code Execution
  56. 56. I <3 Shells
  57. 57. < DEMO >
  58. 58. Closing Thoughts… • Do your research to better understand your organizational architecture, servers, applications, log data, etc. • Pen Test your applications, don’t just scan… • Update early and often! • Embed security with development from the beginning. • Download scripts to augment the penetration testing process of Drupal applications: • https://github.com/gfoss/attacking-drupal/
  59. 59. Thank You! Questions?! https://github.com/gfoss/attacking-drupal/ ! Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer greg.foss[at]LogRhythm.com @heinzarelli

×