Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.

1. CMS Hacking Tricks!
Owning Content Management Systems
!
!
Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH!
Senior Security Research Engineer | LogRhythm Labs

2. Just a Few Content Management Systems

3. Security?

4. Image: http://www.emerce.nl/content/uploads/2012/10/Monkey-Barcode-Scanner-88205.jpg

5. Drupal - https://site.com/CHANGELOG.txt

6. Drupal - https://site.com/CHANGELOG.txt

7. Joomla - https://site.com/htaccess.txt

8. WordPress - https://site.com/readme.html

9. WordPress - https://site.com/readme.html

10. WordPress - https://site.com/readme.html

11. Joomla - Targeted Scanning
http://sourceforge.net/projects/joomscan/

12. WordPress - Targeted Scanning
http://wpscan.org

13. Intelligent Fingerprinting
• https://code.google.com/p/cms-explorer/
#
perl
cms-­‐explorer.pl
-­‐-­‐url
http://some.cms.org
-­‐-­‐
type
[CMS]
-­‐-­‐osvdb
!
• http://blindelephant.sourceforge.net/
#
python
BlindElephant.py
http://some.cms.org
[CMS]

14. Image: http://is1103.com/2013/10-October/source.png

16. http://blog.conviso.com.br/2013/06/
github-hacking-for-fun-and-sensitive.html

17. Scrape Internal GitHub

18. Joomla
[docroot]/configuration.php

19. WordPress
[docroot]/wp-config.php

20. Drupal
[docroot]/sites/default/settings.php
MySQL Creds…
Drupal Hash Salt…

21. Remediation…

22. Gaining Admin Access to
Drupal
Already have server access?
!
Drush available?
!
Create a one-time link to log in as an admin…
!
$ cd [drupal directory]
$ drush uli

24. Joomla
Password Reset Abuse

25. WordPress
Password Reset Abuse

26. Drupal
Password Reset Abuse

27. Drupal
Password Reset Abuse

28. User Enumeration is EZ

30. Image: http://security-is-just-an-illusion.blogspot.com/2013/11/wordlistpaswordlist-for-dictionary.html

31. Single Account…

32. All the Accounts!

33. Joomla & WordPress
• Brute Forcing w/ Burp works against WordPress
too!
• Will not work against Joomla…
• Joomla integrates a unique form token per login
request, which is actually verified by the server
(unlike Drupal’s form token) :-P
• Brute forcing can be scripted but will be slow…

34. Uh Oh
New Security Controls in Drupal 7…
Even better in Drupal 8!

35. Change it up…

36. Just Be Careful…

37. ‘Mitigation’

38. Configure Appropriately

39. Session Handling
Image: http://blog.codinghorror.com/content/images/uploads/2012/02/6a0120a85dcdae970b016301e98de2970d-800wi.png

40. Missing Updates
• Drupal
!
!
• WordPress
!
• Joomla

41. Update Notifications
• Drupal!
• http://lists.drupal.org/mailman/listinfo/security-news
• https://drupal.org/security/rss.xml
• Joomla!
• http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
• https://watchful.li/features/
• WordPress!
• https://wordpress.org/plugins/wp-updates-notifier/
• http://codex.wordpress.org/Mailing_Lists#Announcements

42. Application Logging
• CMS logs should be captured and stored
outside of the database to ensure log integrity.
!
• SIEM – Security Information Event Management

43. Drupal
Application Logging
• Watchdog – Drupal’s built in logging, captures
data within the ‘Watchdog’ database table.
• Syslog – Export Drupal’s logs to the Linux
syslog. Creates a flat file that is easy to monitor.

44. WordPress
Application Logging
• Nothing built in… Need to use a plugin which
stores security logs to a database table
• https://wordpress.org/plugins/wp-security-audit-log/

45. Joomla
Application Logging
• Must be configured manually within Joomla’s
configuration and is not enabled by default.
!
• Flat file logging can be set up using JLog!
!
• http://developer.joomla.org/manual/
ch02s05s03.html

46. Authorization
• What are users
allowed to do within
comment fields?
!
• New filtered HTML
tags?
• Full HTML Enabled?
Image: http://musformation.com/pics/trust-but-verify.jpg

49. Unrestricted File Uploads

51. Drupal File Upload Vuln Fixed?
• Uploading and executing PHP code has been ‘fixed’
in recent versions of Drupal as of November 2013
• https://drupal.org/SA-CORE-2013-003
• Code execution prevention
• (Files directory .htaccess for Apache - Drupal 6
and 7)
• Not exactly… <evil> :-) </evil>
• Drupal 8 Fix? - https://www.drupal.org/node/1587270

52. Insecure WordPress Plugins
• TimThumb - Popular and common plugin!
• v 2.8.13 WebShot Remote Code Execution
• http://www.exploit-db.com/exploits/33851/

53. Insecure Joomla Extensions
• Quite a few… Most interesting is a SQLi in Core
• We’ll Look into this later…

54. Drupal Development
Modules
• Modules that assist with active development
• Remove prior to Test / Staging
• Never leave installed on Production applications
• Picking on…
• Devel — https://drupal.org/project/devel
• Masquerade – https://www.drupal.org/project/
masquerade

55. Drupal - Masquerade
• Allows you to change accounts to any other user

56. Devel
• Module used for development
• Should never be installed on production, ever…
• Allows users to view debugging information, including full
database details of application content.
• Also allows for PHP code execution!

57. Password Hash Disclosure

58. Automated Hash Extraction

60. Cracking Drupal Hashes
• Drupal 7!
#
john
d.hash
–wordlist=“rockyou.txt”
–
salt=“TPcVtqQcs37Q69hDTViwiFiHqUV41tyAd3LnnjmNrbA”
–
format=“drupal7”
• Drupal 6!
#
john
d.hash
–wordlist=“rockyou.txt”
OR
#
hashcat
-­‐m
-­‐0
-­‐a
0
-­‐o
d.txt
d.hash
rock.dict

62. Cracking WordPress &
Joomla Hashes
• WordPress!
#
hashcat
-­‐m
400
-­‐a
0
-­‐o
wp.txt
wp.hash
rock.dict
• Joomla!
#
hashcat
-­‐m
11
-­‐a
0
-­‐o
j.txt
j.hash
rock.dict

63. PHP Code Execution

64. I <3 Shells

65. < DEMO >

66. Closing Thoughts…
• Do your research to better understand your organizational
architecture, servers, applications, log data, etc.
• Pen Test your applications, don’t just scan…
• Update early and often!
• Embed security with development from the beginning.
• Download scripts to augment the penetration testing
process of Drupal applications:
• https://github.com/gfoss/attacking-drupal/

67. Thank You!
Questions?!
https://github.com/gfoss/attacking-drupal/ !
Greg Foss | OSCP, GPEN, GWAPT, GCIH, CEH
Senior Security Research Engineer
greg.foss[at]LogRhythm.com
@heinzarelli