CMS Hacking Tricks!Owning Content Management Systems

!!

Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH!Senior Security Research Engineer | LogRhythm Labs

Just a Few Content Management Systems

Security?

Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg

Drupal - https://site.com/CHANGELOG.txt

Drupal - https://site.com/CHANGELOG.txt

Joomla - https://site.com/htaccess.txt

WordPress - https://site.com/readme.html

WordPress - https://site.com/readme.html

WordPress - https://site.com/readme.html

Joomla - Targeted Scanning

http://sourceforge.net/projects/joomscan/

WordPress - Targeted Scanning

http://wpscan.org

Intelligent Fingerprinting

• https://code.google.com/p/cms-explorer/

#  perl  cms-­‐explorer.pl  -­‐-­‐url  http://some.cms.org    -­‐-­‐type  [CMS]  -­‐-­‐osvdb    !

• http://blindelephant.sourceforge.net/

#  python  BlindElephant.py  http://some.cms.org  [CMS]

Image: http://is1103.com/2013/10-October/source.png

http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html

Scrape Internal GitHub

Joomla [docroot]/configuration.php

WordPress [docroot]/wp-config.php

Drupal [docroot]/sites/default/settings.php

MySQL Creds…

Drupal Hash Salt…

Remediation…

Gaining Admin Access to Drupal

Already have server access? !Drush available? !Create a one-time link to log in as an admin… !$ cd [drupal directory] $ drush uli

Joomla Password Reset Abuse

WordPress Password Reset Abuse

Drupal Password Reset Abuse

Drupal Password Reset Abuse

User Enumeration is EZ

Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html

Single Account…

All the Accounts!

Joomla & WordPress• Brute Forcing w/ Burp works against WordPress

too!

• Will not work against Joomla…

• Joomla integrates a unique form token per login request, which is actually verified by the server (unlike Drupal’s form token) :-P

• Brute forcing can be scripted but will be slow…

Uh OhNew Security Controls in Drupal 7…

Even better in Drupal 8!

Change it up…

Just Be Careful…

‘Mitigation’

Configure Appropriately

Session Handling

Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png

Missing Updates• Drupal

!

!

• WordPress

!

• Joomla

Update Notifications• Drupal!

• http://lists.drupal.org/mailman/listinfo/security-news

• https://drupal.org/security/rss.xml

• Joomla!

• http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

• https://watchful.li/features/

• WordPress!

• https://wordpress.org/plugins/wp-updates-notifier/

• http://codex.wordpress.org/Mailing_Lists#Announcements

Application Logging

• CMS logs should be captured and stored outside of the database to ensure log integrity.

!

• SIEM – Security Information Event Management

• Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table.

• Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor.

Drupal Application Logging

• Nothing built in… Need to use a plugin which stores security logs to a database table

• https://wordpress.org/plugins/wp-security-audit-log/

WordPress Application Logging

• Must be configured manually within Joomla’s configuration and is not enabled by default.

!

• Flat file logging can be set up using JLog!

!

• http://developer.joomla.org/manual/ch02s05s03.html

Joomla Application Logging

Authorization

• What are users allowed to do within comment fields? !

• New filtered HTML tags?

• Full HTML Enabled?

Image: http://musformation.com/pics/trust-but-verify.jpg

Unrestricted File Uploads

Drupal File Upload Vuln Fixed?• Uploading and executing PHP code has been ‘fixed’

in recent versions of Drupal as of November 2013

• https://drupal.org/SA-CORE-2013-003

• Code execution prevention

• (Files directory .htaccess for Apache - Drupal 6 and 7)

• Not exactly… <evil> :-) </evil>

• Drupal 8 Fix? - https://www.drupal.org/node/1587270

Insecure WordPress Plugins• TimThumb - Popular and common plugin!

• v 2.8.13 WebShot Remote Code Execution

• http://www.exploit-db.com/exploits/33851/

Insecure Joomla Extensions• Quite a few… Most interesting is a SQLi in Core

• We’ll Look into this later…

Drupal Development Modules

• Modules that assist with active development

• Remove prior to Test / Staging

• Never leave installed on Production applications

• Picking on…

• Devel — https://drupal.org/project/devel

• Masquerade – https://www.drupal.org/project/masquerade

Drupal - Masquerade• Allows you to change accounts to any other user

Devel• Module used for development

• Should never be installed on production, ever…

• Allows users to view debugging information, including full database details of application content.

• Also allows for PHP code execution!

Password Hash Disclosure

Automated Hash Extraction

Cracking Drupal Hashes• Drupal 7!

#  john  d.hash  –wordlist=“rockyou.txt”  –salt=“TPcVtqQcs37Q69hDTViwiFiHqUV41tyAd3LnnjmNrbA”  –format=“drupal7”  

• Drupal 6!

#  john  d.hash  –wordlist=“rockyou.txt”  

        OR  

#  hashcat  -­‐m  -­‐0  -­‐a  0  -­‐o  d.txt  d.hash  rock.dict

Cracking WordPress & Joomla Hashes

• WordPress!

  #  hashcat  -­‐m  400  -­‐a  0  -­‐o  wp.txt  wp.hash  rock.dict  

• Joomla!

  #  hashcat  -­‐m  11  -­‐a  0  -­‐o  j.txt  j.hash  rock.dict

PHP Code Execution

I <3 Shells

< DEMO >

Closing Thoughts…• Do your research to better understand your organizational

architecture, servers, applications, log data, etc.

• Pen Test your applications, don’t just scan…

• Update early and often!

• Embed security with development from the beginning.

• Download scripts to augment the penetration testing process of Drupal applications:

• https://github.com/gfoss/attacking-drupal/

Thank You!

Questions?!

https://github.com/gfoss/attacking-drupal/ !

Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEHSenior Security Research Engineer

greg.foss[at]LogRhythm.com @heinzarelli