WordPress and Joomla are still the easiest targets to hack
Joomla and WordPress are going to be targeting much much often than others
According to the latest study, there are about 1.8 billion websites on the Internet. The number is fantastic: there are more of them than the population of India!
Everything would be fine. But precisely, the sites are most often subjected to cyber-attacks.
Hackers are attracted by the scale − having hacked one platform, and a cybercriminal instantly gets access to a multi-million database of users, where logins, passwords, mail, and other confidential information are stored.
The hacking of sites is followed by the sale of a database on black forums, blackmail, threats, and other sad consequences for users.
Today we will try to hack CMS sites (for example, WordPress and Joomla platforms) to make sure how serious the holes in the security system of many Internet resources are.
Well, let’s get started!
Disclaimer: We do not support hacking and other actions to steal and illegally use information about third parties! We are not responsible for illegal actions and possible harm caused to someone by our article.
How are sites hacked?
So, before attacking a site, you need to understand the principle of operation of each of the currently known platforms.
By structure, websites are divided into three large groups:
- CMS (Content Management System)
- self-written (made by hand in HTML, produced by a static generator such as Jekyll or assembled in a designer program such as Adobe Dreamweaver)
- made in online constructors (for example, a landing page without any databases, in other words)
If we talk about the CMS platform, then homemade CMSs created for a specific site are less popular because this is disadvantageous for most users.
The fact is that only the most significant resources can afford to support their system; it’s not easy to justify the costs associated with this.
Most websites are based on ready-made engines. For example, many well-known sites run on the WordPress system (which we will try to hack).
From an attacker’s point of view, site engines are no different from other services. Their source code is usually publicly available, and any enthusiast can analyze it for bugs and vulnerabilities.
Websites on the CMS platform rarely fall victim to targeted attacks; more often, they hack en masse ─ this is much more effective.
Such hacking is automated and usually proceeds according to the following scheme: an attacker finds a vulnerability (on his own or with the help of utilities, which we will consider a little later).
Then the hacker makes an exploit (or uses a ready-made one) and writes a specialized bot. This bot searches for the specified hole on all sites in a row in the specified range and tries to exploit it.
It would seem that to protect against automatic attacks, you need to keep the software up to date, but in reality, the CMS is overgrown with various additions and innovations. There is a slightly different task with a penetration test − to check a specific site for vulnerabilities. It’s what we will do today!
WhatWeb Linux tool
Before we attack a target, we need to collect information about it.
To do this, I suggest using the free WhatWeb utility. This tool provides detailed information about the victim’s CMS and the web tools it uses.
But before proceeding with the installation, let me give some helpful advice: run WhatWeb with the − а switch, followed by a value of 3 or 4.
The only difference between them is that in the second case, WhatWeb will also scan subdirectories. Keep in mind that both options set an aggressive polling method — with all the ensuing logs, or rather “flowing” into the server.
However, if you don’t have a VPN or don’t want to install the program, I know an alternative way: the online version of WhatWeb!
To scan a site, go to the main page of the utility, enter the site under investigation into the search field, and then click Start Scan.
The scan result will not keep you waiting long: you will immediately receive general information about the site, which will help with further penetration testing.
You can also download the full version of the scan results. To do this, click on the black button, as shown in my screenshot above.
Give it a try − it’s easy!
BuiltWith online tool
However, if you don’t want to become a hacker and all you need is to find out the name of the site’s SMS system, try the Built With free online utility.
All you have to do is enter the site into the search field and click Lookup:
We will get a rather informative result with general information about the site:
To find out the name of the СMS platform, scroll down to the Content Manager System item:
As you can see, the site I’m testing runs on the WordPress system − like most other sites on the Internet.
It’s not surprising: over 60% of free СMS sites run on the WordPress engine.
Well, I propose to hack this particular platform to find out if it is that insecure!
Hacking CMS sites
How to install the WPScan on Windows?
To test WordPress for penetration, we need one magic scanner that can work wonders ─ WPScan. You may have heard of it before.
This tool can determine the version of the scanned object, brute-force the admin panel (it even has its built-in dictionary), look at vulnerable, open directories, determine installed plugins, and much, much more.
WPScan is available in Karl Linux by default; however, if you have Windows ─ don’t worry! I have compiled for you detailed instructions on how to install our magic scanner.
The first thing you need to do is install Ruby.
To do this, go to the webpage and select the required installation file by the characteristics of your computer.
After that, run the downloaded file, select the installation directory and click Next.
Check the boxes next, as in the screenshot, and click Next.
The installation process will begin and will not take more than a few seconds.
After successful installation, a terminal will open in front of you, where you will be offered several options for installations 1,2,3.
Select all three and press Enter.
Ignore warnings − they do not have any critical significance for the installation process.
Now the fun will begin − the process of installing the scanner.
To do this, run PowerShell as administrator and enter the following command:
gem search WPScan
Next step ─ you need to update the WPScan database with information about WordPress plugins and themes:
wpscan — update — disable-tls-checks
If you have an update error, as in the screenshot, download libcurl.dll by the characteristics of your computer on the official website.
In the downloaded archive in the bin, find the libcurl-x64.dll file, unzip it and rename it to libcurl.dll.
This file needs to be moved to the bin of the installed Ruby; for example, I have this folder C: \ Ruby32 \ bin\.
Ready! You are gorgeous! It’s time to start hacking.
WordPress
Therefore, we need to get a key for scanning — this can be done for free on the official website of the scanner.
To scan the site, enter the command:
wpscan — url https://(site) — random-user-agent — disable-tls-checks –api-token [code]
As you can see, the result is successful:
We are interested in the following details:
- WP version
- open directories
- suspicions of vulnerabilities
At the end of the output, a red exclamation mark marks lines that violate security rules.
The result exceeded all my expectations ─ the scanner discovered 20 vulnerabilities that can be used to hack both individual components of the database and drain all available information to sell or extort money.
When pentesting a site, should pay special attention to identifying known vulnerabilities — CVE (for example, for the PHP version on which the CMS).
As a rule, one of the expected next steps for hackers in such a situation is to find ready-made Metasploit modules for WP and interact with them.
Also, the scanner showed us that the site uses several plugins at once:
I hasten to warn you that sometimes WPScan can demonstrate that there is no single plugin installed on the selected site.
It may be a false conclusion based on the limitations of the passive scan method. For more reliable detection of plugins, you need to use the aggressive search method:
wpscan — url http: // [IP-address] — enumerate ap — plugins-detection aggressive
Keep in mind that the ap key will show all found plugins and vp − only vulnerable ones.
However, you need to be patient before getting results, as this procedure takes a decent amount of time. The speed will depend on the site’s distance, but it will take at least 30 minutes (even in the best case).
As you can see, in a few minutes, I received all the detailed information about the security holes of the WordPress site.
Now that I know all the system vulnerabilities and plugins that I can also test for vulnerable ones, many opportunities open up before me. For example, I can brute-force access to the admin area (as a rule, not all admins use complex passwords, hoping for luck).
The most valuable thing about the WPScan scanner is that it provides all the information you need about any site. It means that anyone who is more or less versed in pentest and Karl Linux tools can easily find out all the secrets of the system of this or that site.
Joomla
I propose to consider another CMS site ─ this is Joomla. Yes, the platform is not popular enough compared to WordPress, but sometimes it is still used.
The Open Web Application Security Project created the JoomScan scanner for scanning sites on Joomla. The JoomScan hasn’t to update: − the latest version, 0.0.7, was released in September 2018.
JoomScan is the same security scanner as WPScan, only more straightforward. JoomScan is also preinstalled in most distributions for information security professionals, and its full manual fits into a few lines.
The scanner also supports an aggressive method of scanning installed components using the command:
joomscan — url http://00.11.22.3/ — enumerate-components
Of the significant shortcomings, I can single out that the scanner cannot brute force the admin panel.
To perform such brute force, you need a tool that works with a chain of proxy servers, if only because the brute force stops plugin use on Joomla sites. When the number of failed authorization attempts reaches the specified number, it blocks the attacker’s IP address.
In general, I would recommend not to dwell on Joomla sites and focus on WordPress and the accompanying WPScan scanner. You will get more favorable results from scanning WordPress than Joomla (if only because JoomScan does not provide brute force).
How to safely scan the system?
Before starting the experiments, check that you have followed all the safety rules, namely:
- Enabled VPN for pentesting in case you use site crawling using online utilities.
- Downloaded all the necessary installation files from the official sites (I have provided links to all the necessary components). Remember that suspicious links may contain malware or even be phishing.
- Didn’t report their plans to people you do not trust. Yes, of course, you can achieve great success in crawling and hacking sites, but it is not at all necessary for everyone you know to know ─ they may misunderstand you.
These simple guidelines will help make your experiments safer for you and those around you!
Conclusion
“If something does not hack, then you are choosing the wrong approach” − no doubt, these words became the motto of our today’s article.
We stood on the other side of the barricades for one day and disguised ourselves as hackers to show you how vulnerable CMS platforms are, which are now the most popular engine for hosting web pages.
Of course, we all need to join forces to ensure reliable data protection on the Internet.
Perhaps not now, but we will achieve an ideal system that any utilities cannot hack.
Would you please write about the results of your experiments? Did you manage to access the sites using the utilities we described?
Stay optimistic!
