Plain Text Pages/Posts in WordPress

While experimenting with wordpress i was tasked with a situation where i am suppose to present some static text content on the website. However uploading a text file was out of question and the author wanted to keep everything controlled inside wordpress.

So i created a simple text only theme template for him and this combined with the plugin allowing custom permalinks provide us with options of having a custom name and still showing the wordpress page as static text only page.

Template Page is available online at : https://github.com/anantshri/wordpress_tricks/blob/master/plain_text_page.php

Source Code for viewing pleasure.

<?php
/*
* This templete will show all content as text only. in order to retain text only post while you save text in wordpress editor i would suggest add the text inside <pre></pre> tag
* the below code will remove any html / php tag that it will find in content and will only display the textual part of the file.
*/
header('Content-type: text/plain'); 
/**
 * Template Name: content text only
 * Description: Only Post content text only
 * @package WordPress 
 */
if (have_posts()) : 
	while (have_posts()) : the_post(); 
		$content=get_the_content();
		$cnt=strip_tags($content);
		echo $cnt;
	endwhile; // end of the loop. 
endif; 
?>

P.S. I suspect there might be better ways of dealing with this situation but my limited google skills didn’t provided a result in first 5 minutes so instead i spend 2 minutes on crafting this. If you do know a better way then feel free to suggest it via comments.

Mission attachment protection

Earlier today @Rsnake posted about a flaw in how wordpress handles the attachments

 

Here is my observation on the same listed below

Note : observations are based on latest 3.5.2 version of wordpress and with an image uploaded as attachment. (anyone running older than this seriously need to check)

In short Yes the vulnerability is real but with lots of warning.

if attachment not linked to post than site/?attachment_id= is 200 ok and does provide the attachment
if attachment linked to post/page available online then response is 301
if attachment not available then 404 error

also if post is in draft but attachment is added in post then 404 is received or 301 if post has canonical name

WPScan leading vulnerability scanner for wordpress has this issue opened here : https://github.com/wpscanteam/wpscan/issues/172

So what we can do about it.

Here is a quick Htaccess patch that can be applied on your wordpress instance

Apply the below code in .htaccess file in root of your wordpress installation.

Patch listed below

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} attachment_id=([0-9]*)
RewriteRule ^(.*)$ /index.php [F,L]
</IfModule>

Note : this is only tested on my personal website and does result is getting 403 error while displaying back the home page for all url’s with attachment_id=

However one should also keep in mind if they have uploaded an attachment online there are other ways to access the attachment so if you are not ready to expose the attachment to world its better not to upload it.

Shameless Plug : Many such similar tricks are shared here https://github.com/anantshri/wp-security anyone concerned with WordPress security should definitely visit the page. Feel free to contribute too.

More information will be updated as and when spotted.

SVN Extractor for Web Pentesters

Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.

1) Uncover hidden files and folder names

2) Access the source code of the files.

3) download files even if the restrictions are in place at htaccess.

How this could be achieved.

1) Uncover hidden files and folder names

There are two ways in which this can be achieved based on the version of SVN in use.

for <1.6 we had .svn/entries files which contained list of files / folders as well as usernames used for commiting those files.

for >1.6 we have .svn/wc.db which contains simmilar data but in a sqlite3 format.

Those files could be directly accessible through url.

2) Access the source code / download files even if htaccess blocks its access.

SVN keeps a backup copy of all files in two seperate locations.

1) .svn/text-base/“filename”.svn-base

2) .svn/pristine/“XX”/“CHECKSUM”.svn-base

where

filename is actual name of file.

CHECKSUM is Sha1 sum of the file

XX is first two character of CHECKSUM.

first type of entries has one limitations suppose file name is testme.php so path becomes.

.svn/text-base/testme.php.svn-base

a large number of servers will execute the file using php engine and serve the output.

that’s where option 2 shines however this information is available only in case of wc.db (>1.6 SVN version) and this requires that .sv/pristine directory should be web accessible.

However after searching a lot i was not able to find a single code which can do both these things in one go.

so here is a tool which can perform both the operations in one script.

Usage

svn-extractor.py –url “url with .svn available”

Source Link : https://github.com/anantshri/svn-extractor

So far only tested on localhost environments however hoping to get some response on the same.

References

It would be unfair to say that i did all the research myself so here are the links to various resources i used to get the info out.

1) http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us (manual technique for wc.db)

2) http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive (manual technique for .svn/entries)

3) http://www.cirt.net/svnpristine (only automated tool i can find online doing 1/2 of what is in the tool)

IronWasp on Linux

Those looking for how to download and install IRONWASP on linux.

One Line copy paste code.

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

Those looking for some read can continue from here.

This post will talk about running IronWasp on Linux. So a little background.

IRONWASP : (from ironwasp.org)

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Where does Linux comes into picture?

IronWASP is based on fiddlercore and uses .net for UI Designing. Hence running on linux was a bit hard. Mono is out of question here as fiddler core doesn’t play well with mono. Me and Lava did worked on checking if mono can support but the efforts didn’t work out. Then Came the crossoveroffice Give away Sale and a surprise tweet from R3dsm0k3 about being able to run ironwasp successfully through crossover office on MAC

ironwasp

From that time i was wondering why only crossover office we should be able to do it directly in wine. Finally today i got some time to sit and see how crossover do it and what could be done with Wine. and here is the output.

Disclaimer : this is in no ways a fully baked script, its bits and pieces joined overnight to get things working. I can’t promise that a new release will be done but would surely help anyone who wants to work on it.

Once you run this script all you need to do is click on next next finish for .net 20 installations and soon you will find an icon on your Linux desktop named IWASP which will launch Ironwasp for you. in the Background script will be automatically downloading and installing various dependencies required and configuring the system

Prerequsites : wine version >= 1.4 and internet connectivity.

Will try to see if i can make a video for the same setup till them this texual output should be enough.

Note: During setup if there is a prompt to restart now or later please select restart now. your system won’t reboot just wine restarts.

Download Link : ironwasp_installer.sh

One Liner

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

 

Feel free to suggest changes or comment.

KNOWN ISSUES

1) UI-Designer doesn’t work for drag and drop UI building, for 32 bit Linux(working on 64 bit linux). (Mac working is confirmed by r3dsm0k3)

CHANGELOG

22-01-2013 :
1) r3dsm0k3 confirmed that script works on Mac too.
2) Code added modified to add reference.
3) Shortcut details updated to correct few issues when the api tree was not visible on right side.
4) dos2unix converted web edit’s caused script to go dos.
5) wineprefix specifically marked as 32bit.

23-01-2013:

1) Customization to make script work on 64bit linux instances.

NOTE

In case you observe that after running the script here is an error from wine suggesting to install mono for linux / windows i would suggest rerunning the script but this time comment out the wget url for cnet and uncomment the wget url for microsoft downloads. both url are used to download .net sp2 but someone one goes down and i had better sucess ratio with cnet link. However YMMV. Feel free to add a comment here in case of any issue but make sure to include the entire output of the about listed command. This helps in quickly solving the issue.

In case you don’t want to add a lot of junk in comment i would suggest email me with the details at [email protected]

script kiddie blocker

this post is in continutation to the thread here : http://www.garage4hackers.com/f11/script-kiddie-blocker-2581.html

based on the details that i have gathered so far here …

Here is a htaccess code which you can use.

#Script kiddie blocker start 
#License: GPLv2 or later
#License URI: http://www.gnu.org/licenses/gpl-2.0.html
RewriteEngine On  
<IfModule mod_rewrite.c> 
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SF [OR]
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR] 
RewriteCond %{HTTP:Acunetix-Product} ^WVS 
RewriteRule ^.* http://127.0.0.1 [R=301,L] 
</IfModule> 

#Script kiddie blocker End

This is a basic setup where we are redirecting these skiddies to there own system’s so that would be a fun to look at :P

I will keep adding more and more enteries as time progresses

 

LSB new twist : text based Stegnograph

Today i am going to discuss about a simple twist in existing Stegnography and text base data hiding techniques. While creating challenges for Preconference hacking challenge “HACKIM” for nullcon conference. we cameup with text based LSB hiding challenge as crypto challenge part 5. today i am releasing tools i used to encoding and decoding such values.

The basic prremise behind the tool is the simplest Image based Stegnographic technique where data is hidden in the least significant bit of the Pixel. Here we implemented the same principle on a normal text. The difference in both is in case of the image there is very less distortion and original image is looks pretty much the same however in text implementation the text looks a lot different.

Example

text to hide = a

binary of text to hide = 01000001

So for this we need a cover of size = 8char

lets assume the cover is abcdefgh

We will replace the LSB of each character with one bit of the text which we need to hide. starting from HSB to LSB of text.

S.No Text binary converted Binary Final Text
1 a 01100001 01100000 `
2 b 01100010 01100011 c
3 c 01100011 01100011 c
4 d 01100100 01100100 d
5 e 01100101 01100100 d
6 f 01100110 01100110 f
7 g 01100111 01100110 f
8 h 01101000 01101001 i

now this new text could be send across

final text becomes `ccddffi

Now as we can see the text is changed a lot however the important thing to remember is first and formost the cover is extracted and is most easily available.

by just random variation of 1 and 0 you can get the actual value.

Here is an funny tip

Make your envelop text something interesting so that focus shifts on the envelope rather then the variation in data.

For the above task to be simplified i wrote simple encode and decode scripts as listed below. (Scripts are at there crude level’s right now may improve on them if the need arises.)

Encode

#License : GPL2
#License File : http://www.gnu.org/licenses/gpl-2.0.html
import sys
Key="CoDe"
Cover="Secret is hidden at /home/anant/"
km=""
if (len(Key) * 8) == len(Cover):
	print "Original : " + Cover
	for k in Key:
		km += bin(ord(k))[2:].zfill(8)
	sys.stdout.write("Conceled : ")
	i=0
	for c in Cover:
		y=bin(ord(c))[2:].zfill(8)
		s = list(y)
		s[7]=km[i]
		i+=1
		sys.stdout.write(chr(int('0b' + "".join(s),2)))
	print ""
else:
	print "Invalid Cover Size : " + str(len(Cover)) + " : " + str((len(Key) * 8))

Decoding

#License : GPLv2
#License URL : http://www.gnu.org/licenses/gpl-2.0.html
import sys
crypt="Rebrdt!ir!iheeeo at .inld/an`ot/"
cnt=0
decode=list()
#print len(crypt)
if (len(crypt) % 8) == 0:
	for c in crypt:
		y=bin(ord(c))
		decode.append(y[len(y)-1])
		cnt = cnt + 1
		if (cnt % 8 == 0):
			sys.stdout.write(chr(int('0b' + "".join(decode),2)))
			decode = []
else:
	print "Invalid Input"
print " "

Hope people might find some use of this somewhere..

Standalone Perl on Android

In simmilar lines to standalone python this is the code that could be used for running standalone perl applications.

This script again tries to address some very basic issues.

1) non availability of direct perl calling mechanism while using terminal emulator.

2) Environmental limitations.

3) you can’t pass command-line arguments.

Script enclosed Here

#License: GPLv2 or later
#License URI: http://www.gnu.org/licenses/gpl-2.0.html
PW=`pwd`
cd $PW
export PERL5LIB="/sdcard/haxdroid/perllib"
/data/data/com.googlecode.perlforandroid/files/perl/perl "$@"

this script allows for following things

1) allow us to use this shell script to call perl directly.

2) allows for command line argument passing.

3) relative path references are now working

 

I have named this script as py and placed it in /system/bin/pl location

so basically copying this script in a text file say pl.txt

adb push pl.txt /system/bin/pl

adb shell chmod 04755 /system/bin/pl

 

As always this depends on perl4aandroid project for running properly, you can download from here

https://android-scripting.googlecode.com/files/perl_for_android_r1.apk

DroidCAT – Android Application collection for Security professionals

After a gap of 1 month finally releasing the droidcat application.

DroidCAT application is developed as part of HaXdroiD project which is right now in closed tested status.

Lets talk about DroidCat today.

What is Cat-Droid?
DroidCat is inspired by firecat and aims to be a one stop solution to finding all
ethical hacking / information security related application published in android domain.
This Application is also a part of HaXdroiD suite which aims to empower the
Android handset for Penetration Testing purposes.

So now lets not wait head over to the android market and download the application.

DroidCAT

Whitepaper : Security Issues in Android Custom ROM’s

Today i am releasing the paper which i presented recently at C0C0N conference at ernakulam. this paper outlines where security misconfiguration that can lead to device compromise, data theft and so on.
Hope this helps in secure development and deployment of custom ROM’s.

http://anantshri.info/articles/android_cust_rom_security.html

The link contains download for both my slidepack as well as the complete whitepaper.

also a crude application is created and uploaded on android market which can help in identifying the issue.

https://market.android.com/details?id=anant.hax.aui