Module 08: Web Application Penetration Testing Methodology 5

Exercise 5: Exploiting Directory Traversal Vulnerability in WordPress Application

Scenario

Directory traversal allows attackers to access restricted directories including application source code, configuration, and critical system files, and execute commands outside of the webserver's root directory. Attackers usually manipulate variables that reference files with “dot-dot-slash (../)” sequences and its variations to access these restricted directories.
As a penetration tester, you need to be aware of how to identify directory traversal vulnerability and pentest it, to gain access to sensitive information.
In this lab, you will learn how to:
i. Enumerate WordPress plugins using wpscan
ii. Identify vulnerabilities using SearchSploit
iii. Exploit the vulnerability to download sensitive files

Lab Duration: 20 Minutes

1. Click Kali Linux (External Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the password field and click Sign In.
   
4. In this lab, we are going to perform penetration testing on a wordpress website with the URL http://172.19.19.18/wordpress.
   Since we do not have any information regarding the website, let us use wpscan to extract the wordpress plugin details, hoping there is a vulnerability that allows us to gain access to its contents.
5. Launch a command line terminal, type wpscan --url http://172.19.19.18/wordpress --enumerate p and press Enter.
   A notification appears asking you to update wpscan. Type N and press Enter to skip the update.
   This begins plugin enumeration on the wordpress website.
   
6. WPScan enumerates the plugins and displays them as shown in the screenshot below.
   In this lab, we will be focusing on the ebook-download plugin.
   
7. Now, we shall search for publicly available exploits for the plugin ebook-download.
   Type searchsploit ebook download 1.1 and press Enter.
   
8. Searchsploit returns a result related to ebook-download as shown in the screenshot below.
   The vulnerability discovered is directory traversal and the exploit ID is 39575.
   
9. We shall now copy the exploit to root directory. To copy, type searchsploit -m 39575 and press Enter.
   A copy of the exploit gets stored in the root directory as shown in the screenshot below.
   
10. Type cat 39575.txt and press Enter to view the proof of concept written in the exploit text file.
    
11. It is observed that directory traversal vulnerability is present in filedownload.php.
    We shall now use this URL to download the wp-config.php file.
    
12. Since the URL of wordpress site is http://172.19.19.18/wordpress, the directory traversal URL we are going to enter in this lab will be http://172.19.19.18/wordpress/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php.
    So, launch Firefox web browser, type http://172.19.19.18/wordpress/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php and press Enter.
    
13. Opening wp-config.php dialog-box appears, click Save File.
    
14. A window appears displaying the root directory. Click on the Save button.
    This downloads the config file to root directory.
    
15. You will observe the downloaded wp-config.php file in the root directory as shown in the screenshot below, inferring that the directory traversal vulnerability has been successfully exploited.
    

In this lab, you have learned how to:
i. Enumerate WordPress plugins using wpscan
ii. Identify vulnerabilities using SearchSploit
iii. Exploit the vulnerability to download sensitive files