AppSec USA 2014

Denver, Colorado

CMS Hacking 101

Hacking and Securing Popular Open Source Content Management Systems

Greg Foss• Senior Security Research Engineer

• Web Developer => Penetration Tester => Researcher

Introduction

Content Management Systems

Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg

Drupal - [domain.com] inurl:changelog.txt

Joomla - [domain.com] inurl:htaccess.txt

WordPress - [domain.com] inurl:readme.html

Targeted Scanning - Joomla

http://sourceforge.net/projects/joomscan/

Targeted Scanning - WordPress

http://wpscan.org/

• https://code.google.com/p/cms-explorer/ # perl cms-explorer.pl --url http://some.cms.org/ --type [CMS] --osvdb

• http://blindelephant.sourceforge.net/ # python BlindElephant.py http://some.cms.org/ [CMS]

Intelligent Fingerprinting

Image: http://is1103.com/2013/10-October/source.png

GitHub Advanced Queries

http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html

Scrape Internal GitHub Deployment

Joomla – [docroot]/configuration.php

WordPress – [docroot]/wp-config.php

• MySQL Creds

• Drupal Hash Salt

Drupal [docroot]/sites/default/settings.php

Remediation

• Already have server access?• Drush available?• Create a one-time link to log in as an admin…

• $ cd [drupal directory]

• $ drush uli

Gaining Admin Access to Drupal…

Joomla – Password Reset Abuse

WordPress – Password Reset Abuse

Drupal – Password Reset Abuse

• Not seen as a vuln by the Drupal Security Team

• Iterate through accounts

• View comments, posts, etc.

• Social features, forums, etc.

Drupal User Enumeration

Automation

Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpasword

list-for-dictionary.html

Drupal - Single Account…

All the Accounts!

• Brute Forcing w/ Burp works against WordPress too!

• Will not work against Joomla…– Joomla integrates a unique form token per login

request, which is actually verified at the server (unlike Drupal’s form token)

– Brute forcing can be scripted but will be slow…

Joomla & WordPress

• New Security Controls in Drupal 7…• Even better in Drupal 8!

Uh Oh…

Change it up!

Just Be Careful…

‘Mitigation’

Configure Appropriately

Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120

a85dcdae970b016301e98de2970d-800wi.png

Session Handling

Missing Updates?

• Drupal

• WordPress

• Joomla

• Drupal:– http://lists.drupal.org/mailman/listinfo/security-news – https://drupal.org/security/rss.xml

• Joomla!:– http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions– https://watchful.li/features/

• WordPress:– https://wordpress.org/plugins/wp-updates-notifier/– http://codex.wordpress.org/Mailing_Lists#Announcements

Update Notifications

• Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table.

• Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor.

Drupal Application Logging

Nothing built in… Need to use a plugin which stores logs to a database tablehttps://wordpress.org/plugins/wp-security-audit-log/

WordPress Application Logging

• Must be configured manually within Joomla’s configuration and is not enabled by default.

• Flat file logging can be set up using Jlog

• http://developer.joomla.org/manual/ch02s05s03.html

Joomla Application Logging

Authorization

Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png

Persistent XSS

Reflected XSS

Unrestricted File Uploads

• Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November 2013

• https://drupal.org/SA-CORE-2013-003 • Code execution prevention (Files

directory .htaccess for Apache - Drupal 6 and 7)

• Not exactly… <evil> :-) </evil>

Drupal File Upload Vuln Fixed?

• Modules that assist with the active development of a Drupal application.

• Excellent for Development• Remove prior to Test / Staging– Never leave installed on Production applications

• Picking on…– Devel — https://drupal.org/project/devel

Development Modules

• Module used for development• Should never be installed on production,

ever…• Allows users to view debugging information,

including full database details of application content.

• Also allows for PHP code execution!

Devel

Password Hash Disclosure

Automated Hash Extraction

• WordPress# hashcat -m 400 -a 0 -o wp.txt wphash.txt rock.dict

• Joomla# hashcat -m 11 -a 0 -o joomla.txt jhash.txt rock.dict

Cracking WordPress & Joomla Hashes

• Drupal 7# john dhash.txt --wordlist=“rockyou.txt” --salt=“ ” --format=“drupal7”

• Drupal 6# john dhash.txt --wordlist=“rockyou.txt”

OR# hashcat –m 0 -a 0 -o drupal.txt dhash.txt rock.dict

Cracking Drupal Hashes

PHP Code Execution

I <3 Shells…

Demonstration

Image: http://fc01.deviantart.net/fs71/i/2014/040/2/3/_outdated__move_to_eqj__pony_avatar_creator_demo_by_lexuzieel-d4vx715.png

• Pen Test your applications, don’t just scan…• Update early and often!• Leverage assistance from external entities• Embed security with development from the

beginning.• Download scripts to augment the penetration

testing process of Drupal applications:– https://github.com/gfoss/attacking-drupal/

Closing Thoughts

• Target: XXX.XXX.XXX.XXX

Hands On Exercise Time!

Questions?https://github.com/gfoss/attacking-drupal/ Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH

Senior Security Research Engineergreg.foss[at]LogRhythm.com

@heinzarelli

Thank You!