E047-Forum Vulnerability Analysis and Utilization-Exploration of information collection and vulnerability scanning for WordPress forums

Task implementation:

Task environment description:

Server scenario: p9_kali-6 (username: root; password: toor)

Server scenario operating system: Kali Linux 192.168.32.178

Server scenario: p9_linux-7 (username: root; password: 123456)

Server scenario operating system: Linux 192.168.32.179

Network structure topology

Reproduction in actual combat

Use the command firefox http://192.168.32.179 to access the target site and view the copyright information at the bottom of the page.

I discovered that the website uses the famous simple WordPress forum to build a website in 5 minutes, and then tried to access the robots.txt file in the root path of the website (we know the robots.txt file as we have written crawlers. This file tells us which directories are prohibited from crawling. Taken. But most of the time we can determine the type of cms through the robots.txt file)

You can see that the website structure wp-xxxx in the page content is in line with our previous guesses

Further retrieval of scan information revealed that there are two users root and test under this forum.

There is relatively little effective information collected in the nmap results. The next step is to collect more information about the wordpress forum.

One of the existing scanning tools in Kali is wpscan, a professional website security vulnerability scanning software for wordpress forums.

Next, we will introduce all the parameters of the wpscan scanning tool.

wpscan -u [wordpress url]

--By default, detection is done for commonly used plug-ins on the website

wpscan -u [wordpress url] -e

--Comprehensive inspection of the website

wpscan –u [wordpress url]

--Scan websites for possible vulnerabilities:

wpscan –u [wordpress url] –wordlist [dictionary path] –username [cracked user] –threads [number of processes used]

--Brute force cracking of user’s root password

wpscan -update

--Update vulnerability database

wpscan --force | -f Forces

--Use brute force to crack the target site regardless of whether it is a WordPress forum or not

wpscan -u [wordpress url] --wordlist xxx.lst --threads 50

--Use 50 threads to perform dictionary brute force cracking on the enumerated user passwords

wpscan -u [wordpress url] --wordlist xxx.lst --username admin

--Only perform dictionary brute force cracking on the password of the specified admin user

wpscan –u [wordpress url] --enumerate p - enumerate installed plug-ins

vp – only vulnerable plugins only vulnerable plugins

ap – all plugins (can take a long time) all plugins

wpscan -u [wordpress url] --enumerate t - enumerate installed themes

vt – only vulnerable themes only vulnerable themes

at – all themes (can take a long time) all themes

wpscan -u [wordpress url] --enumerate u--enumerate users

Use the command wpscan -u http://172.16.1.21 -e at -e ap -e u to enumerate WordPress themes, all plug-ins, and user content.

wpscan -u http://192.168.32.179 -e at -e ap -e u

According to the retrieved information, the version number of wordpress is Version 4.6

Continuing the search, we found that there is a directory traversal vulnerability at http://172.16.1.21/wp-content/uploads/ on the site:

I tried to access and found that the administrator did not set permissions on the uploads directory under the site:

Further review found that two links have directory traversal, and because the website has installed the Pie Register version 2.0.14 plug-in, the XSS cross-site scripting vulnerability can be exploited:

Finally, the two account information of the forum are enumerated:

Directly use the command wpscan http://172.16.1.21 to scan the forum for vulnerabilities. According to the scan feedback results, it is found that the target forum contains directory traversal and SQL injection vulnerabilities. The yellow exclamation mark represents the level of information leakage, and the red exclamation mark represents vulnerabilities with a higher threat level.

After checking the directory traversal address of the website one by one, we found that there is a file named Process_Ajax.php in the /wp-content/plugins/ultimate-product-catalogue/funtions/Process directory, which just verified the high-risk SQL injection vulnerability in the previous feedback result information.

The following is the key code part of the vulnerability

Line:147

global $subcategories_table_name;

 

$Path = ABSPATH . 'wp-load.php';

include_once($Path);

global $wpdb;

$SubCategories = $wpdb->get_results("SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=" . $_POST['CatID']);

================================================== =======

//$_POST[‘CatID’] – $_POST variable is the variable name and value sent by the HTTP POST method. The reason for this vulnerability is that the CatID parameter is not escaped, which allows unscrupulous users to construct SQL statements for injection operations. to obtain website information.

================================================== =======================

Fill in some basic information to register

registration success

Go to http://172.16.1.21/index.php/login and log in with the account you just registered.

Then go to the address http://172.16.1.21/wp-admin/admin-ajax.php. It is speculated that there is a SQL injection point in this link. Try to use Firefox browser to manually inject it:

When the experiment is over, shut down the virtual machine.

The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 41683 people are learning the system