Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress through the bad guys’ glasses

280 views

Published on

Slidesc from #wceu session

Published in: Technology
  • Be the first to comment

  • Be the first to like this

WordPress through the bad guys’ glasses

  1. 1. https://lynt.cz + https://smitka.me @smitka Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. 22.06.2019 1 WordPress through bad guys' glasses
  2. 2. https://lynt.cz + https://smitka.me @smitka22.06.2019 2 No security HTTP Headers!
  3. 3. https://lynt.cz + https://smitka.me @smitka22.06.2019 3
  4. 4. https://lynt.cz + https://smitka.me @smitka22.06.2019 4 /home/XYZ/public_html/ /var/www/clients/clientX/webY /var/www/vhosts/XYZ/httpdocs/
  5. 5. https://lynt.cz + https://smitka.me @smitka22.06.2019 5
  6. 6. https://lynt.cz + https://smitka.me @smitka22.06.2019 6
  7. 7. https://lynt.cz + https://smitka.me @smitka22.06.2019 7 MD5 of e-mail Password stuffing https://leakprobe.net/ https://spycloud.com Phishing
  8. 8. https://lynt.cz + https://smitka.me @smitka22.06.2019 8 2FA, Password manager Shortlink: ohno.fun
  9. 9. https://lynt.cz + https://smitka.me @smitka22.06.2019 9
  10. 10. https://lynt.cz + https://smitka.me @smitka22.06.2019 10 More than 45k comments with e-mails http://wordpressexpose.chrisgherbert.com/
  11. 11. https://lynt.cz + https://smitka.me @smitka What to do with thousands of e-mails? Sell them on the BlackMarket! 22.06.2019 11 Comodity Common BlackMarket price WordPress account 1$ Facebook account 3-6$ E-mail account 1-4$ NetFlix account 6-8$ Booking/AirBnB account 3-6$ Tested credit card 10% of limit Credit/Debet - numbers only 5-40$ PayPal account 250$ 100k national e-mail adressess 3$ 100k european e-mail addresses 1$ Quality scan ID/drivers license scan 20$ Photo of ID/drivers license (1 side) 0,5$
  12. 12. https://lynt.cz + https://smitka.me @smitka Developers ❤️ git • Developers hate configuring servers • Unrestricted .git folder => source files reconstruction => wp-config.php • /.git/logs/HEAD => developer‘s e-mail • Fun fact: VCS disables WP autoupdates 22.06.2019 12
  13. 13. https://lynt.cz + https://smitka.me @smitka22.06.2019 13
  14. 14. https://lynt.cz + https://smitka.me @smitka Another config issues • Directory listings 22.06.2019 14
  15. 15. https://lynt.cz + https://smitka.me @smitka Forgotten DB endpoints • Old PHPmyAdmin/Adminer => External MySQL server => LOAD DATA LOCAL INFILE => access to any file => wp-config.php 22.06.2019 15
  16. 16. https://lynt.cz + https://smitka.me @smitka Let‘s make it a little bit personal 22.06.2019 16
  17. 17. https://lynt.cz + https://smitka.me @smitka 22.06.2019 17 Julia‘s e-mail Leaked passwords Julia‘s personal blog about her cat
  18. 18. https://lynt.cz + https://smitka.me @smitka EXIF metadata 22.06.2019 18
  19. 19. https://lynt.cz + https://smitka.me @smitka22.06.2019 19
  20. 20. https://lynt.cz + https://smitka.me @smitka22.06.2019 20
  21. 21. https://lynt.cz + https://smitka.me @smitka22.06.2019 21
  22. 22. https://lynt.cz + https://smitka.me @smitka Thank you! Be careful what you share on the internet! Q&A: https://smitka.me 22.06.2019 22

×