Wednesday, July 31, 2013

For educational purposes only! I will not take responsibility for you!


I had kept this topic on hold since long, as it was planned to be the last of the recently targeted posts on exploiting WordPress. This topic involves replacing the existing code in a theme file with that of the shell, and that to after the login has been cracked using wordpress login bruteforce or using some symlink bypass technique on the vulnerable server i.e. only after the attacker has successfully logged into the victim’s dashboard.


So let’s check out how exactly this is accomplished.


The attacker logs into the victim’s account Dashboard, goes to the Appearance menu on the left hand side and selects the submenu ‘Editor‘ as shown below:


3


 


Clicking on ‘Editor‘, the attacker is taken to editing the ‘style.css’ of the currently active theme. To the right of it, click on ’comments.php’ as shown:


tut1


 


Now the ‘comments.php‘ opens in the editor. The attacker deletes the current content of the file and puts in his own shell code as shown:


2


I have entered the custom php code for demo. The attacker enters his own custom php shell code instead. Update the changes and open up the browser and go to something like:


http://127.0.0.1/wordpress/wp-content/themes/assembler/comments.php


 


Which nothing but runs the ‘comments.php’ file on the server thereby running the malicious shell, which can be further taken to the extent of defacing the victim’s website.


4


Also you might be wondering that since the attacker has already logged in to the victim’s dashboard, what’s the use then to upload the shell?


The answer is that the attacker is not yet happy with just the dashboard access. So, in order to get access to the main index file, that may or may not be present in the currently active WordPress theme, the attacker prefers uploading a shell and finding the way to ‘index.php’ file, which on being found, he/she screws it down further leading to the complete defacement of the website.


This is it. I hope this was worth looking at. You might have read several topics on the same but this was my way to presenting it. Thank you all and stay tuned!


 



0 comments :

Post a Comment