Time Spent: 12 hours
This Penetration testing has been done on my local wordpress server vs kali linux (Debian 9). This Assignment was done for educational purposes only
⚠️
The first step for me was to make sure I have a correct and stable version of docker and docker-compose.
I found 3 active Vulnurbulities with the following plugins installed:
-
contact-form-7
- Version: 5.3
-
reflex-gallery
- Version: 3.1.3
It was interesting to see how the communication between wpscan and my wordpress server was captured in my server log.
1- Contact Form 7 < 5.3.2 - Unrestricted File Upload This vulnerability allows the attacker to create and upload a file with filename containing double-extensions, sperated by a non-printable or special characters.
- Proof Of Concept: This plugin doesn't check for empty spaces therefore even if the required attachment file is .png or .jpg, we can simply add an extra extention to our exploit.php file.
2- Reflex Gallery <= 3.1.3 - Arbitrary File Upload
This vulnerability was exploited by msfconsole by searching for specific exploit in the database.
Simple
ls
command now shows all the pictures that I uploaded along with other folders on my wordpress server.
Now that we have access to the files. we can also delete them by using rm
.
3- Reflex Gallery - jQuery prettyPhoto DOM Cross-Site Scripting (XSS) Since I knew I already have an open access to uploading and deleting material and folders from meterpreter command line. I used some basic vim command to edit and deploy more malicious commands. I edited the new user folder and adding a xss command and adding new users to list. and ultimatly by doing this I can edit any folder and delete or add more XSS commands and files.