htoo97/Exploit-Wordpress-KaliLinux

Codepath University Web Security Week 7

Project 7 - WordPress Pentesting

Time spent: 7 hours spent in total

Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress

Pentesting Report

1. Vulnerability Name or ID: Authenticated Stored Cross-Site Scripting

• Summary: Cross-site scripting vulnerability in the text editor box in pages and writing/editing posts.
  • Vulnerability types: XSS
  • Tested in version: 4.2.2
  • Fixed in version: 4.2.3
• GIF Walkthrough:
• Steps to recreate: In post/page editor mode, when logged in from contributor (whose post, if approved blindingly) and above, can type in "]link" triggering XSS in text editor mode.
• Affected source code:
  • Reference
  • Changelog

2. Vulnerability Name or ID: User enumeration using wpscan

• Summary: Because the error messages displayed are different when a non-existent username is entered vs when an invalid password is entered for an existing user, wpscan is able to enumerate the users, even those that have never posted, commented nor contributed.
  • Vulnerability types: User enumeration
  • Tested in version: 4.2.2
  • Fixed in version: -
• GIF Walkthrough:
• Steps to recreate: Run "wpscan --url [INSERT_WORDPRESS_URL_NAME] --enumerate u" in kali linux.
• Affected source code:
  • Reference
  • Github

3. (Vulnerability Name or ID: Password Brute Force Attack

• Summary: Using rockyou.txt wordlist and wpscan, together with the user enumeration shown in number 2, the password of a particular username can be guessed by brute force because wordpress by default does not limit the number of login attempts.
  • Vulnerability types: Login Vulnerability
  • Tested in version: 4.2.2
  • Fixed in version: -
• GIF Walkthrough: i
• Steps to recreate: Download the rockyou.txt dictionary file through apt-get install wordlists. Run "wpscan --url [INSERT_WORDPRESS_URL_NAME] --enumerate u" in kali linux (to enumerate users). Then, run "wpscan --url [INSERT_WORDPRESS_URL_NAME] --wordlist [PATH_TO_ROCKYOU_DICTIONARY - usually, it's /usr/share/wordlists/rockyou.txt" --username [USERNAME_YOU_FOUND_FROM_USER_ENUMERATION]" in kali linux.
• Affected source code:
  • Github

Assets

List any additional assets, such as scripts or files

Resources

• WordPress Source Browser
• WordPress Developer Reference

GIFs created with LiceCap.

Notes

Docker was challenging to learn but pretty fun to use.

License

Copyright [2017] [Thant Htoo Zaw]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.