cumartesi günü düzenlenen PHP Meetup 011'de konu Wordpress'ti. Bizde Doruk Fişek ile birlikte bir joint sunum gerçekleştirdik. Ben işin Wordpress Security tarafını o ise Wordpress Sunucu Güvenliği tarafını ele aldı. Benim sunumuma aşağıdaki slideshare bağlantısı üzerinden ulaşabilirsiniz.
2. Who Am I
Ince, Mehmet Dursun
Senior Penetration Tester, @ PRODAFT /
INVICTUS
Ordinarily;
● Hack the app.
● Make it secure.
● Hack it again.
Blogger
https://www.mehmetince.net
5. Devs says; security is
● XSS, HUH?! IT’S NOTHING
● MY CODE IS FLAWLESS
● YOUR ARE USELESS.
● FCUK YOU Pentester.
● BEST PROGRAMMING
LANGUAGE IS BLABLA...
6. The truth is
● Neither “Best secure programming language is PHP.”, nor “PHP is
most vulnerable language” are TRUE..!
● The truth is, programming languages are innocent. The problem is
YOU..!
8. Run applications with least privileges
● Do NOT run your application with root privileges. E.g; HHVM and
MySQL processes should be initiated by different user, supervisord.
● CHMOD 777 is not a HTTP 403 errors solution, it will cause bigger
problems.
● CHOWN apache:apache -R www/ is not a “correct” solution for
HTTP 403 as well. It will cause MUCH bigger problem.
9. Database security
● It is wise to consider keeping them in separate databases each
managed by a different user.
● Disable remote access, use SSH Tunneling.
● Disable LOAD_FILE() etc,
● Remove anonymous users.
● If you have an external database server, enable MySQL SSL
● https://www.mehmetince.net/mysql-veri-tabani-guvenligi-checklist/
10. Be a “Lone Wolf”
● It’s 2015…!
○ Stop using “Shared Hosting”.
○ Stop using cPanel.
○ Stop using WHMCS.
● Having a basic SSD Linux server, for just 5$/month. E.g; Digitalocean,
vultr, ...
12. Wp-admin ~ Wp-config
● 2-step authentication https:
//wordpress.
org/plugins/authy-two-factor-
authentication/
● Captcha https://wordpress.
org/plugins/no-captcha-
recaptcha/
● BasicAuth might also break
some WP func., such as the
AJAX handler at wp-
admin/admin-ajax.php
● define(
'DISALLOW_FILE_EDIT',
true );
● define('FS_METHOD',
'direct');
13. Brute-force XMLRPC
● /xmlrpc.php
● Brute-force hundreds of
thousands of username &
password pairs within ONE
HTTP request through
system.multicall method of
XML-RPC.
● Disable xmlrpc.php access. If
you need to use it, disable
system.multicall, system.
listMethods, system.
getCapabilities.
15. WAF
● A web application firewall (WAF) is
an appliance, server plugin, or filter
that applies a set of rules to an HTTP
conversation. By customizing the rules
to your application, many attacks can
be identified and blocked.
●
16. Wordpress 4.2.3 SQL Injection
Commit = 70128fe7605cb963a46815cf91b0a5934f70eff5 | Date = 4 August 2015
17. 23.02.2014
WP < 4.1 Stored XSS
(Critical) vulnerability
found by researcher.
31.03.2014
Issue acknowledge by
Wordpress Team.
07.04.2014
Initial patch received
from WP team.
...
FUUUUUUUUUUUU
UUUUUUUUUUUUU
UUUUUUUUUUUUU
21.04.2015
Finally, WP team
released patch.
18. WTF
● Exploit does NOT require a logged-in user. Everyone may trigger
vulnerability..! On the other hand, Stored-XSS means that anyone,
who visiting the infected article, going to be HACKED!
but Wordpress Team patched
the issue after
14 months!
20. Themes
“Nothing Is Free In This World.”
If you are using free theme, I’m sorry but YOU GOT PWNED.
21. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● Identified by Foxit-Security at May 2014.
● A researcher from Foxit-Security found a following HTTP request
generated by their customer server.
[08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1"
… unexpected journey has begun.
22. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● There is no USER-AGENT
● There is no Referrals
● HTTP Post request to the .biz domain.
● and POST data contains encrypted information..!
● Upon further inspection, they found the only action that occurred
before the HTTP POST request was the install of a plug-in onto a
Joomla instance by the administrator of the website.
23. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● Latest installed plug-in was JSecure.
● ZIP file of JSecure contained following information.
24. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● All files seems normal, other than jsecure.php. It’s updated on March
26..!
25. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● Jsecure.php codes were innocent as well. Unless last line.
26. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
mince@rootlab admin $ file images/social.png
images/social.png: PHP script, ASCII text, with very long lines
30. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● One backdoor to rule them all ( Wordpress, Drupal, Joomla )
● Public key encryption between Command & Control servers.
● Ability to update itself.
● Method hook
● ...
Details : https://www.mehmetince.net/cryptophp-backdoor-analizi-ve-
tespiti/