AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content...
-
Upload
samuel-atkins -
Category
Documents
-
view
218 -
download
2
Transcript of AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content...
![Page 1: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/1.jpg)
AppSec USA 2014
Denver, Colorado
CMS Hacking 101
Hacking and Securing Popular Open Source Content Management Systems
![Page 2: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/2.jpg)
Greg Foss• Senior Security Research Engineer
• Web Developer => Penetration Tester => Researcher
Introduction
![Page 3: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/3.jpg)
Content Management Systems
![Page 4: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/4.jpg)
Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg
![Page 5: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/5.jpg)
Drupal - [domain.com] inurl:changelog.txt
![Page 6: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/6.jpg)
Joomla - [domain.com] inurl:htaccess.txt
![Page 7: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/7.jpg)
WordPress - [domain.com] inurl:readme.html
![Page 8: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/8.jpg)
Targeted Scanning - Joomla
http://sourceforge.net/projects/joomscan/
![Page 10: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/10.jpg)
• https://code.google.com/p/cms-explorer/ # perl cms-explorer.pl --url http://some.cms.org/ --type [CMS] --osvdb
• http://blindelephant.sourceforge.net/ # python BlindElephant.py http://some.cms.org/ [CMS]
Intelligent Fingerprinting
![Page 11: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/11.jpg)
Image: http://is1103.com/2013/10-October/source.png
![Page 12: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/12.jpg)
GitHub Advanced Queries
![Page 13: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/13.jpg)
http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html
![Page 14: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/14.jpg)
Scrape Internal GitHub Deployment
![Page 15: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/15.jpg)
Joomla – [docroot]/configuration.php
![Page 16: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/16.jpg)
WordPress – [docroot]/wp-config.php
![Page 17: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/17.jpg)
• MySQL Creds
• Drupal Hash Salt
Drupal [docroot]/sites/default/settings.php
![Page 18: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/18.jpg)
Remediation
![Page 19: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/19.jpg)
• Already have server access?• Drush available?• Create a one-time link to log in as an admin…
• $ cd [drupal directory]
• $ drush uli
Gaining Admin Access to Drupal…
![Page 20: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/20.jpg)
![Page 21: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/21.jpg)
Joomla – Password Reset Abuse
![Page 22: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/22.jpg)
WordPress – Password Reset Abuse
![Page 23: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/23.jpg)
Drupal – Password Reset Abuse
![Page 24: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/24.jpg)
• Not seen as a vuln by the Drupal Security Team
• Iterate through accounts
• View comments, posts, etc.
• Social features, forums, etc.
Drupal User Enumeration
![Page 25: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/25.jpg)
Automation
![Page 26: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/26.jpg)
Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpasword
list-for-dictionary.html
![Page 27: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/27.jpg)
Drupal - Single Account…
![Page 28: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/28.jpg)
All the Accounts!
![Page 29: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/29.jpg)
• Brute Forcing w/ Burp works against WordPress too!
• Will not work against Joomla…– Joomla integrates a unique form token per login
request, which is actually verified at the server (unlike Drupal’s form token)
– Brute forcing can be scripted but will be slow…
Joomla & WordPress
![Page 30: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/30.jpg)
• New Security Controls in Drupal 7…• Even better in Drupal 8!
Uh Oh…
![Page 31: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/31.jpg)
Change it up!
![Page 32: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/32.jpg)
Just Be Careful…
![Page 33: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/33.jpg)
‘Mitigation’
![Page 34: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/34.jpg)
Configure Appropriately
![Page 35: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/35.jpg)
Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120
a85dcdae970b016301e98de2970d-800wi.png
Session Handling
![Page 36: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/36.jpg)
Missing Updates?
• Drupal
• WordPress
• Joomla
![Page 37: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/37.jpg)
• Drupal:– http://lists.drupal.org/mailman/listinfo/security-news – https://drupal.org/security/rss.xml
• Joomla!:– http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions– https://watchful.li/features/
• WordPress:– https://wordpress.org/plugins/wp-updates-notifier/– http://codex.wordpress.org/Mailing_Lists#Announcements
Update Notifications
![Page 38: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/38.jpg)
• Watchdog – Drupal’s built in logging, captures data within the ‘Watchdog’ database table.
• Syslog – Export Drupal’s logs to the Linux syslog. Creates a flat file that is easy to monitor.
Drupal Application Logging
![Page 39: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/39.jpg)
Nothing built in… Need to use a plugin which stores logs to a database tablehttps://wordpress.org/plugins/wp-security-audit-log/
WordPress Application Logging
![Page 40: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/40.jpg)
• Must be configured manually within Joomla’s configuration and is not enabled by default.
• Flat file logging can be set up using Jlog
• http://developer.joomla.org/manual/ch02s05s03.html
Joomla Application Logging
![Page 41: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/41.jpg)
Authorization
Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png
![Page 42: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/42.jpg)
Persistent XSS
![Page 43: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/43.jpg)
Reflected XSS
![Page 44: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/44.jpg)
Unrestricted File Uploads
![Page 45: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/45.jpg)
![Page 46: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/46.jpg)
• Uploading and executing PHP code has been ‘fixed’ in recent versions of Drupal as of November 2013
• https://drupal.org/SA-CORE-2013-003 • Code execution prevention (Files
directory .htaccess for Apache - Drupal 6 and 7)
• Not exactly… <evil> :-) </evil>
Drupal File Upload Vuln Fixed?
![Page 47: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/47.jpg)
• Modules that assist with the active development of a Drupal application.
• Excellent for Development• Remove prior to Test / Staging– Never leave installed on Production applications
• Picking on…– Devel — https://drupal.org/project/devel
Development Modules
![Page 48: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/48.jpg)
• Module used for development• Should never be installed on production,
ever…• Allows users to view debugging information,
including full database details of application content.
• Also allows for PHP code execution!
Devel
![Page 49: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/49.jpg)
Password Hash Disclosure
![Page 50: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/50.jpg)
Automated Hash Extraction
![Page 51: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/51.jpg)
![Page 52: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/52.jpg)
• WordPress# hashcat -m 400 -a 0 -o wp.txt wphash.txt rock.dict
• Joomla# hashcat -m 11 -a 0 -o joomla.txt jhash.txt rock.dict
Cracking WordPress & Joomla Hashes
![Page 53: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/53.jpg)
• Drupal 7# john dhash.txt --wordlist=“rockyou.txt” --salt=“ ” --format=“drupal7”
• Drupal 6# john dhash.txt --wordlist=“rockyou.txt”
OR# hashcat –m 0 -a 0 -o drupal.txt dhash.txt rock.dict
Cracking Drupal Hashes
![Page 54: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/54.jpg)
![Page 55: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/55.jpg)
PHP Code Execution
![Page 56: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/56.jpg)
I <3 Shells…
![Page 57: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/57.jpg)
Demonstration
Image: http://fc01.deviantart.net/fs71/i/2014/040/2/3/_outdated__move_to_eqj__pony_avatar_creator_demo_by_lexuzieel-d4vx715.png
![Page 58: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/58.jpg)
• Pen Test your applications, don’t just scan…• Update early and often!• Leverage assistance from external entities• Embed security with development from the
beginning.• Download scripts to augment the penetration
testing process of Drupal applications:– https://github.com/gfoss/attacking-drupal/
Closing Thoughts
![Page 59: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/59.jpg)
• Target: XXX.XXX.XXX.XXX
Hands On Exercise Time!
![Page 60: AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649f045503460f94c19362/html5/thumbnails/60.jpg)
Questions?https://github.com/gfoss/attacking-drupal/ Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH
Senior Security Research Engineergreg.foss[at]LogRhythm.com
@heinzarelli
Thank You!