You keep your PC up to date with the latest patches, and run a good Anti-Virus solution, you must be safe right? Have you got old software installed that you don’t use anymore or have forgotten about? Old, discontinued or out of date software can leave a wide open hole into your network. This video shows a port scan and quick exploit of some old software installed on a PC which should have been uninstalled years ago.
Here we have another example of simple Sql Injection. In the previous example we bypassed the authentication controls, in this example we dump the User table which contains all usernames and passwords on the Webpage. This webpage is a simple account search page. We are being asked for our username and password in order to view and edit our account details, and again we can use a simple Sql Injection which will equal true (‘OR 1=1 — ). As the input is not filtered the whole User table can be dumped into the wepage. Again this is a basic example but it shows that you need to carefully consider the security of any table that users can query, as once we have dumped the table we can login as any user! (Again we are using Mutillidae to demonstrate this vulnerability)
Another quick video showing how SQL Injection can be used to bypass a login page. This is a very basic example, but it clearly shows that if you aren’t filtering input your site is as risk. Here we use a simple SQL statement ‘OR 1=1 — to bypass the login authentication control. the ‘ at the start escapes the intended statement which should run when you click the login button and then the SQL statement OR 1=1 will run (This will equal true). For eample a simplified login statement would be “IF Username & Password = true, Login = yes. (This is not a real statement it is written here in simplified form to make it easier to understand). Our Injection statement equals true so therefore even though we have not used a username and password our statement still equals true so we get logged in! The — at the end simply comments out any code which comes after our injection which allows our statement to run without any extra code running afterwards. The site we are using in this demonstration is Mutillidae which is maintained by @webpwnized, and is great for learning how to secure webapps, check it out.
This shows that even with file validation controls an attacker can manipulate file extentions to get the php shell through the filters. The result is the same, from here the attacker can view files or upload their own to inject malicious content into the site. All visitors to the site are then potential victims, as they could be downloading malicious files or being redirected by tampered links without any idea the site has been compromised.
This is how quick it can happen. The site has a simple File Upload control, but it has no validation which allows us to upload a php shell and get access to the whole system. Using this shell we can steal password hashes or upload files to the webserver.
This starts with you receiving an email which asks you to click on the link. It could be a specially crafted email from an attacker to make you believe its from your bank, email provider, or perhaps your amazon account. You click on the link and all appears OK, you also have Facebook open (most people do, or a shopping site!) but what is happening in the background is that the attacker now has access to your browser (Firefox/Chrome/Internet Explorer) and has the ability to intercept all your login credentials. They can also craft popups which look like normal updates to tempt you into downloading something which can compromise your PC permanently, or trick you into logging into a website you are already logged into, and all without you knowing. You’ll also notice that the PC is running up to date anti virus in a fully patched Windows 7 machine.
It seems barely a week goes by without having to resolve a WordPress Issue. I needed to update to version 4.8, so I went to my update panel ready to use the “one click” update, but instead of opening up the update page informing me that the site is in update mode it opened to a blank page. After refreshing and returning to the update panel, I disabled all pluggins and tried again, now whenever clicking the update button I was greeted with a message telling me an update was in progress, I therefore it left it expecting that it would just eventually complete. However 12 hours later and WordPress was still not updated and clicking the update buttomn gave the same message that an update was already in process! Restarted the server no change, a bit of googling led me to https://wordpress.stackexchange.com/questions/224989/get-rid-of-another-update-is-currently-in-progress I therefore installed wp-cli using this guide https://www.sitepoint.com/wp-cli/ and tried in vain to carry out these steps. However I was continually told by wp-cli that wp-config.php did not exist! I checked and this was not the case, so another brick wall! I had already wasted an hour by this point on what should have been a ten minute job. Therefore I simply downloaded the latest WordPress version by running
then (from the same dir)
tar xzvf latest.tar.gz
sudo rsync -avP ~/wordpress/ /var/www/html/
As I had manually created an uploads directory I had to reassign group ownership to allow me to upload content to that directory using the following.
sudo chown -R :www-data /var/www/html/wp-content/uploads
Hey presto! we are now running on the latest version, with all existing pluggins and content still working. (I double-checked by running wpscan from my kali box just to be sure I was on the latest version) Hope this helps someone else out. Don’t forget to backup before running these steps.