Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Anatomy Of A Hack - WordCamp Sofia 2018

159 views

Published on

In this presentation we'll look into how a hack is executed. This presentation was given at WordCamp Sofia 2018

Published in: Technology
  • Be the first to comment

The Anatomy Of A Hack - WordCamp Sofia 2018

  1. 1. The Anatomy Of A Hack Brecht Ryckaert
  2. 2. Hi, 
 I’m Brecht
  3. 3. 
 @brechtryckaert brechtryckaert.com press84.com
  4. 4. Let’s talk about hacking. 4
  5. 5. You’re not the target!
  6. 6. Most hacks are automated. • Leaks in plugins or themes • Leaks in WordPress core • Leaks in server software • Bruteforcing using rainbow tables • …
  7. 7. And that’s a good thing!
  8. 8. Automated hacks are easier to stop • Updating a plugin, theme or core • Changing passwords • Updating your server stack • Adding a rule to your WAF • …
  9. 9. How does it work?
  10. 10. Types of attacks 10
  11. 11. Attacks • SQL Injection • Brute Force • … (alas, many other types)
  12. 12. SQL injection • Injection data into the database • Usually caused due to lack of input validation in the code
  13. 13. SQL injection
  14. 14. Brute Force • An near endless stream of login attempts • Trying all kinds of username/ password combo’s
  15. 15. Brute Force
  16. 16. Real-life examples
  17. 17. Disclaimer: 
 We’re not here to make fun of these leaks. We’re here to learn from them. 17
  18. 18. Example 1 18
  19. 19. Slider Revolution • Major leak back in 2014 • LFI (Local File Inclusion) • Massive impact
  20. 20. https://domain.com/wp-admin/admin- ajax.php? action=revslider_show_image&img=/path/to/ the/images/thisisanimage.jpg 20
  21. 21. https://domain.com/wp-admin/admin- ajax.php? action=revslider_show_image&img=/path/to/ the/images/thisisanimage.jpg 21
  22. 22. https://domain.com/wp-admin/admin- ajax.php? action=revslider_show_image&img=../wp- config.php 22
  23. 23. The hacker ascertains • Database connections settings • WP Salts • Basically full access and the means to decrypt all passwords of the users
  24. 24. In the logs 194.29.185.106 - - [02/Sep/2014...] "GET /wp- admin/admin-ajax.php? action=revslider_show_image&img=../wp- config.php HTTP/1.1" 403 1082
 85.103.12.6 - - [02/Sep/2014...] "GET /wp- admin/admin-ajax.php? action=revslider_show_image&img=../wp- config.php HTTP/1.1" 403 226
 91.229.229.201 - - [02/Sep/2014...] "GET /wp- admin/admin-ajax.php? action=revslider_show_image&img=../wp- config.php HTTP/1.1" 403 226
  25. 25. Example 2 25
  26. 26. GDPR Compliance • November 2018 • Privilige Escalation Issue • No capability check upon “save_setting” • Abuse of “do_action()”
  27. 27. In the logs
  28. 28. Why my website?
  29. 29. It’s nothing personal ;-) 29
  30. 30. Dork’s • Scriptkiddy’s best friend • Use Google to identify possible targets
  31. 31. Remember Revslider? 31
  32. 32. 32
  33. 33. 33
  34. 34. Specific Dorks • “Index of” +/wp-content/plugins/revslider • inurl /wp-content/plugins/revslider
  35. 35. Results • Easily scraped and thrown into a list of possibly vulnerable domains • Subject to scripted abuse
  36. 36. Preventing hacks
  37. 37. For Developers • Sanitize input • Be aware of the functions and hooks you use • Do code reviewing
  38. 38. For Sysadmins • Mod_security • OWASP • OSSEC • Patchman • …
  39. 39. For Users • Security plugin with WAF • Updates (!!!) • …
  40. 40. Any questions?
  41. 41. Thank you Slides will be tweeted shortly on @brechtryckaert and published at https://www.brechtryckaert.com

×