Saturday, February 18, 2017

Wordpress Config as homepage

@wavellan posted a spam and phishing url.

hxxp://enerjietudu[.]com/

Interesting if you browse to the homepage you get returned the wp-config.php file



Full contents here

And like every good wp-config.php file it contains information such as

define('DB_NAME', 'enerjik3460');
define('DB_USER', 'enerjik34');
define('DB_PASSWORD', 'energy34');
define('DB_HOST', '94.73.144.196');


And all the encryption deets

define('AUTH_KEY', ...
define('SECURE_AUTH_KEY',
define('LOGGED_IN_KEY',
define('NONCE_KEY',
define('AUTH_SALT',
define('SECURE_AUTH_SALT',
define('LOGGED_IN_SALT',
define('NONCE_SALT', ...


All the comments are in Turkish per google translate.

The bottom has an error showing the full path we are sitting in

Fatal error: Call to undefined function wp() in /home/enerjietudu.com/httpdocs/wp-blog-header.php on line 22

I notice that no matter which page I go to (wp-admin/admin.php, etc.) the wp-config.php contents show and an error is thrown.

If I had to guess I think somebody hacked this wordpress site by finding a vulnerability in the wordpress blog header, they found some vulnerability that outputs the content of a file, and so of course they chose the wp-config.php file, and now it's being displayed in the header of every page you navigate to. Then they used that output to login and take control of the database and then were able to use the database to write files to the www root folder and use it in phishing campaigns.

I don't claim to know everything, I'm just guessing. Anybody want to explain what really happened? Thanks!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment: