Task implementation:
E047-Forum Vulnerability Analysis and Utilization-Exploration of information collection and vulnerability scanning for WordPress forums
Task environment description:
Server scenario: p9_kali-6 (username: root; password: toor)
Server scenario operating system: Kali Linux 192.168.32.178
Server scenario: p9_linux-7 (username: root; password: 123456)
Server scenario operating system: Linux 192.168.32.179
Network structure topology
Reproduction in actual combat
Use the command firefox http://192.168.32.179 to access the target site and view the copyright information at the bottom of the page.
I discovered that the website uses the famous simple WordPress forum to build a website in 5 minutes, and then tried to access the robots.txt file in the root path of the website (we know the robots.txt file as we have written crawlers. This file tells us which directories are prohibited from crawling. Taken. But most of the time we can determine the type of cms through the robots.txt file)
You can see that the website structure wp-xxxx in the page content is in line with our previous guesses
Further retrieval of scan information revealed that there are two users root and test under this forum.
There is relatively little effective information collected in the nmap results. The next step is to collect more information about the wordpress forum.
One of the existing scanning tools in Kali is wpscan, a professional website security vulnerability scanning software for wordpress forums. Next, we will introduce all the parameters of the wpscan scanning tool. wpscan -u [wordpress url] --By default, detection is done for commonly used plug-ins on the website wpscan -u [wordpress url] -e --Comprehensive inspection of the website wpscan –u [wordpress url] --Scan websites for possible vulnerabilities: wpscan –u [wordpress url] –wordlist [dictionary path] –username [cracked user] –threads [number of processes used] --Brute force cracking of user’s root password wpscan -update --Update vulnerability database wpscan --force | -f Forces --Use brute force to crack the target site regardless of whether it is a WordPress forum or not wpscan -u [wordpress url] --wordlist xxx.lst --threads 50 --Use 50 threads to perform dictionary brute force cracking on the enumerated user passwords wpscan -u [wordpress url] --wordlist xxx.lst --username admin --Only perform dictionary brute force cracking on the password of the specified admin user wpscan –u [wordpress url] --enumerate p - enumerate installed plug-ins vp – only vulnerable plugins only vulnerable plugins ap – all plugins (can take a long time) all plugins wpscan -u [wordpress url] --enumerate t - enumerate installed themes vt – only vulnerable themes only vulnerable themes at – all themes (can take a long time) all themes wpscan -u [wordpress url] --enumerate u--enumerate users
Use the command wpscan -u http://172.16.1.21 -e at -e ap -e u to enumerate WordPress themes, all plug-ins, and user content.
wpscan -u http://192.168.32.179 -e at -e ap -e u
According to the retrieved information, the version number of wordpress is Version 4.6
Continuing the search, we found that there is a directory traversal vulnerability at http://172.16.1.21/wp-content/uploads/ on the site:
I tried to access and found that the administrator did not set permissions on the uploads directory under the site:
Further review found that two links have directory traversal, and because the website has installed the Pie Register version 2.0.14 plug-in, the XSS cross-site scripting vulnerability can be exploited:
Finally, the two account information of the forum are enumerated:
Directly use the command wpscan http://172.16.1.21 to scan the forum for vulnerabilities. According to the scan feedback results, it is found that the target forum contains directory traversal and SQL injection vulnerabilities. The yellow exclamation mark represents the level of information leakage, and the red exclamation mark represents vulnerabilities with a higher threat level.
After checking the directory traversal address of the website one by one, we found that there is a file named Process_Ajax.php in the /wp-content/plugins/ultimate-product-catalogue/funtions/Process directory, which just verified the high-risk SQL injection vulnerability in the previous feedback result information.
The following is the key code part of the vulnerability
Line:147 global $subcategories_table_name; $Path = ABSPATH . 'wp-load.php'; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results("SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=" . $_POST['CatID']);
================================================== =======
//$_POST[‘CatID’] – $_POST variable is the variable name and value sent by the HTTP POST method. The reason for this vulnerability is that the CatID parameter is not escaped, which allows unscrupulous users to construct SQL statements for injection operations. to obtain website information.
================================================== =======================
Register an account in the forum, admin123 password 12345678 use this account to log in.
Fill in some basic information to register
registration success
Go to http://172.16.1.21/index.php/login and log in with the account you just registered.
Then go to the address http://172.16.1.21/wp-admin/admin-ajax.php. It is speculated that there is a SQL injection point in this link. Try to use Firefox browser to manually inject it:
When the experiment is over, shut down the virtual machine.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 41683 people are learning the system