|H9 Preview Wordpress Hacking and Vulnerabilities.pdf
huge apology for our delay, we had so many articles that it took us longer than usual to put this new issue together . But the new Hakin9 is finally out! As always we would like to send a big “THANK YOU!” to our reviewers and proofreaders. We wouldn’t be able to do this without you!
Many of you are probably on vacations, sitting on the beach and relaxing, or climbing mountains, parachute jumping or simply spending time with your family. Wherever you are, I hope you have an amazing time! To make your vacations even better we prepared a new issue, so take a break and join the WordPress world!
GitHub Corner: WordPress
WordPress distributions and Security – a short overview
by Miriam Wiesner
No matter how good your WordPress safety is, keep one thing in mind: You will never be safe from attackers!
by Jomon Thomas Lobo
A website is efficient only when it is not compromised, its uptime is maximized, your data is safe and your site gives faster response. As a popular Content Management System (CMS), WordPress has a lot of security threats. Security is a practice, not something we can buy from the market. In this article, I am trying to point out some practices that reduce threats in your WordPress website. I recommend the following things to harden your WordPress website.
Restricted Linux Shell Escaping Techniques
by Felipe Martins
The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells, as well as simple recommendations for administrators to protect against it. This article is not focused on hardening shells, however some hints will be given to the reader as proof of concept. Additionally, this article is focused on Linux shells only, not windows. It is also important to note that not all techniques presented here will work in every restricted shell, so it is up to the user to find which techniques will suit them, depending on the environment in use. This is not intended to be a definite guide for escaping shell techniques, but a basic introduction to the subject.
How To Hack WordPress
by Emmanuel Schonberger
Monday 7:15AM, new customer calls requesting web page provisioning ASAP. You think about it for a second, got it!! deploy a WordPress Template. So you pick up your favorite *NIX distro and install a fresh copy of it on a server. You download and install WordPress, customize it with a template, you are done! Mission accomplished, survived another day in admin paradise. Clock beeps, it’s 8:30AM.
Hacking WordPress and Vulnerabilities
by Giuseppe Canale
WordPress - the Content Management System (CMS) which allows you to collect, filter, process, create and distribute data online - is used by circa 74.6 Million sites worldwide powering more than 23% of websites on the Internet. If you’re reading this article, you’re probably an evolved Internet user, conscious of the merits of IT security, and this may partly be attributed to the work the WordPress community does to promote interest and development of the online community. This community also contributes to its widespread usage but makes it an ideal target for hackers and those seeking to spread malicious content with a far-reaching impact.
Writing your own shellcode
by Paras Chetal
In this article, I'll walk through the entire process of writing shellcode for Linux. Writing your own shellcode is considered by some as some sort of black magic, so I thought I'd make it less murky through this comprehensive write-up to write shellcode that will spawn a shell. I'll be working on a 64bit Ubuntu 15.10 OS. However, in order to better explain the process, I'll be working with 32 bit binaries and x86 assembly. Bear in mind that the addresses (as seen in the disassembled code, etc.) will most likely be different in your computers, however, the procedure will remain the same as I have explained.
by Luciano Ferrari
The number of WordPress users is 76.5 million, representing 26% of all websites globally. Fifty thousand new WordPress websites are added daily. It’s a very versatile and friendly content management system that is used by Fortune 500 companies, like eBay, GM and Reuters News. Those impressive numbers place WordPress as one of the most popular web platforms of the world. The reason? Probably because it’s free through their open source platform, ease of use, the high number of plugins developed, high number of people that know how to use it and their nice options for themes. But those advantages can bring at least one very important con. Because of its popularity it’s been a very common target for hackers. Lots of malware and exploits are created targeting WordPress websites and, unfortunately, WordPress website administrators are not being very diligent in taking care of security.
Hacking WordPress Sites with WPScan
by Cory Miller
WordPress is one of the most popular dynamic open-source content management systems platform that provides anyone with the ability to publish ecommerce, blog, and general web sites. Because of its popularity, anyone can view the code that runs WordPress. This makes it a prime target for hackers. In order to ensure that WordPress is secure and to reduce the vulnerable landscape, WPScan was created. Like many vulnerability scanners, WPScan can identify the known common vulnerabilities that might be present within the WordPress site. By using WPScan, you can quickly identify what version plugins, themes, and accounts are present and if they have known vulnerabilities associated with them. The first line of defense is to know what could be vulnerable so that you can mitigate and increase the security of your site, and this is where WPScan can help.
Exploiting XML-RPC Vulnerability in WordPress
by Fredy Valle
WordPress is a free and open-source content management system (CMS). It’s a web software you can use to create websites, blogs or even web applications. WordPress is one of the most popular CMS today because it provides an easy and simple option for people with basic knowledge on development.
WordPress Security with WPScan
by Ricardo Ángel Encinar de Frutos
WordPress is the most used CMS to create web-sites or blogs. However, safety is one of the top concerns for those using the WordPress platform. In this article, we will go over the basic steps for securing our WordPress installation. As an aside, we will comment on those vulnerabilities that a malicious attacker would look for before considering whether our site is an easy target or not. In addition, we will check whether we can find any vulnerabilities in our site that an attacker could exploit with the tool WPScan.
Anatomy Of The WordPress Scanner And Countermeasures
by Sumit Kumar Soni
WordPress is a dynamic open-source content management system which is used to power millions of websites, web applications, ecommerce sites, and blogs. WordPress' usability, extensibility, and mature development community make it a popular and secure choice for websites of all sizes. Its popularity makes WordPress based websites a prominent target for hackers. WordPress is based on PHP and MYSQL. There are thousands of commercial and free plugins and themes available to extend WordPress functionality. These plugins & themes expand the threat landscape of WordPress based websites and requires the systems admin to further harden their installations.
Hacking a real WordPress site
by Renato Borbolla, Thiago Ferrerira, Mike Garcia, Paulo Henrique Pereira
The experiment described in this article has a purpose of study. We test our approach on our website and no attack was conducted on external websites. We analyzed typical vulnerabilities associated with hacking.
Should you always trust that browser padlock?
by Harpreet Bassi
We’ve always been taught that you are safe if your browser is displaying a little padlock. But is this still true? To answer this question, let’s go back to the roots of HTTP (Hyper Text Transfer Protocol).