Wordpress Penetration Testing Lab in Ubuntu

Today we are demonstrating how to install and configure wordpress for penetration testing inside the web server. To configure wordpress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in set up of your own localhost web server. Here we are using our own web server which had configure in ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.


Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as password for root user. Now start with login into phpmyadmin as root user.


phpmyadmin is separated into two parts left and right panels. The left panel contains name of existing databases and right panel contains functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right panel.


Now enter the name for database system such as wordpress and then click on create. After that you will observe a new database “wordpress” will get add into left panel.


Open the terminal and type following command to download wordpress inside /var/www/html
wget https://wordpress.org/latest.zip /


Now unzip the folder of latest.zip
unzip latest.zip
ls
From given image you can see we have folder of wordpress inside /html directory.


Now for wordpress installations open it on browser through URL: http:// localhost/wordpress as shown in given image.  At the end of window click on let’s go to proceed for installation.


At another window enter your database connection information such as:
Database Name: wordpress
Username: root
Password: (null)
Database host: localhost
Now click on submit tab.


In next window you will get some code of line to configure wp-config.php file as shown in given image. Now copy the highlighted text into a text document. After you done come back and click on run the install.


As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on desktop.


Since we have saved wp-config.php on desktop therefore we are going to shift it inside /var/www/html/wordpress using following command.
mv /home/raj/Desktop/wp-config.php .

After then go back to previous open tab and click on Run the install.


“Welcome” the new window will come up, now fills the information below and you’ll be on the way for wordpress installation.
Site title: Pentest Lab
Username: admin
Password: password
Email: (your email ID)

At last click on “install wordpress” tab given at the end of window.


Once wordpress will successfully install, click on log in as shown in given image.


Now enter your wordpress credential for login.


Great!!  Finally our web site “pentest lab” is online on localhost server and is ready posting articles and blogs.
 Now we need to add some Plug-in wordpress so that we can make wordpress penetration testing by exploiting these plug-in based vulnerabilities. WordPress' plug-in architecture allows users to extend the features and functionality of a website or blog.


Now type following command to give all permission to the file and folder own by www-data of /var/www/html.
sudo chown –R www-data /var/www/html


For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable wordpress site.
We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many other vulnerable plug-in from exploit database.


Now login into wordpress as admin to access administration control panel and then select plugins option from dashboard and go for new plugin so that you can add your install plug-in in your wordpress.\


Now browse you downloaded zip file and then click on upload plugin for installation.


It will install plug-in into wordpress, now to activate it click on given tab Activate Plugin as shown in given image.


Similarly you can install as much as can be possible vulnerable plug-in into wordpress. You can see we had installed many plug-in inside our wordpress so that we can make more practice on wordpress penetration testing which you will learn in our next upcoming article.
Wait for our next article where you will how exploit wordpress plug-in base vulnerability.


0 comments:

Post a Comment