Hacking WordPress Through Security Flaws
By Dan Morrill
Article Date: 2009-03-23
Bandit Defense has posted a new Wordpress hack, but there are some things you need to know about first. The biggest one is that it relies on poor security at the hosting company, and already knowing the password to the Wordpress website you want to hack.
I will give credit to bandit defense for posting something interesting and new when it comes to Wordpress hacking. The process is simple and elegant, which is always a good thing when it comes to hacking. The problem is that it relies on a number of security flaws that may or may not be present in the system. That is what will make this hard to accomplish unless you already know things, or the web site is poorly secured.
I made references in my previous post about the Semisecure Login Wordpress plugin about how if an attacker gets a Wordpress username and password for your website, it can be used to wreak havoc on the web server that's hosting it. This post will show you exactly how to do that. It doesn't teach how to hack Wordpress installs. That would be a very interesting thing to talk about, but I'm honestly not the most knowledgeable on the subject (any comments or emails to me about it would be greatly appreciated). Rather this is what an attacker could do if they already successfully have access to an account. Source: Bandit Defense
The first thing the hacker would need to know is the admin password to the Wordpress installation. Usually the Wordpress password that people use is either the default password made when the account was initialized, or they use some nice dictionary word that would be easier to brute force your way into. I would not hesitate to guess that the majority of Wordpress installations have one or the other. If it is the default password, then it is a combination of numbers and letters of varying lengths that will take time to brute force.
Bandit does bring up the idea of the wp_config file, that will give you the credentials to the database. If you want to go mucking about in the database there is also the connect string to the database. Harder if it is local host, easier if the database points off to something like a separate server. That would be tons easier if the goal is to control the database and do interesting things with the person's site. Wordpress gives some incredibly good examples of how to secure your default word press installation, but my belief is that few people will do this; it is always easier to just do the normal install and be on your way to using Wordpress the way that it comes out of the box.
What is interesting and something that does make the approach unique is the idea of using the C99 shell, a php file with a ton of shell commands that will let you romp around the web server. What Bandit is counting on to gain access to other web sites is that each web site on the shared server is visible to each other. Not an unusual thought when it comes to low cost shared servers. It is possible to tool around other people's web sites if the security configuration of the shared server is very poor.
Overall it is fairly unique in that the C99 shell (and he recommends you make your own) is in the uploads directory when you are done, pretty much so allowing you to run around and use PHP commands at the server.
The problem is that the person has to already have access to the Wordpress installation in one form or another, and unless the installer did something really bad, like use the same name and password for the DB connection as they are using for accessing admin on the Wordpress installation then this starts making sense. If they did not, it is much easier to use the wp_config file and finding out where the database is hosted to do things to someone's Wordpress installation.
Interesting way of looking at Wordpress though, the problem is that this is not a "technique for everyone", there are easier ways of accomplishing things that would be more devastating to the original Wordpress installation. The cool part is that few if any have thought of dumping the C99 script in the uploads directory and using that to tool around the web site, and possibly, if the server is very poorly secured, tooling around all the web sites on the shared server.
The other really simple way of doing this, Google search "index of site:com +wp_config" will give you pretty much the same power to tool around directories.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.