Today
we are demonstrating how to install and configure wordpress for penetration
testing inside the web server. To configure wordpress, you must install any web
host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing
(Beginner Guide)” which will
help in set up of your own localhost web server. Here we are using our own web
server which had configure in ubuntu 14.04.
WordPress is a free
and open-source content
management system (CMS)
based on PHP and MYSQL. It is installed on a web server that is either part of
an Internet hosting service or a network host in its own right. WordPress is reportedly the
most popular website management or blogging system in use on the Web, supporting more than 60
million websites.
Let’s start!!
If you have read our previous article, then you might be remembering
that we had specified blank space as
password for root user. Now start
with login into phpmyadmin as root user.
phpmyadmin is separated into two parts left and right
panels. The left panel contains name of existing databases and right panel
contains functional setting for performing maintenance operations on tables, backing up information,
editing things and creating or deleting the database.
In
order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right
panel.
Now
enter the name for database system such as wordpress
and then click on create. After that
you will observe a new database
“wordpress” will get add into left panel.
Open the terminal and type following command to download
wordpress inside /var/www/html
wget https://wordpress.org/latest.zip
/
Now unzip the folder of latest.zip
unzip latest.zip
ls
From given image you can see we have folder of wordpress
inside /html directory.
Now for wordpress installations open it on browser through
URL: http:// localhost/wordpress as
shown in given image. At the end of
window click on let’s go to proceed
for installation.
At another window enter your database connection information
such as:
Database Name: wordpress
Username: root
Password: (null)
Database host: localhost
Now click on submit
tab.
In next window you will get some code of line to configure
wp-config.php file as shown in given image. Now copy the highlighted text into
a text document. After you done come back and click on run the install.
As you can see we have pasted above copy text inside a text
file and then save it as wp-config.php
on desktop.
Since we have saved wp-config.php
on desktop therefore we are going to shift it inside /var/www/html/wordpress
using following command.
mv /home/raj/Desktop/wp-config.php
.
After then go back to previous open tab and click on Run the install.
“Welcome” the new
window will come up, now fills the information below and you’ll be on the way
for wordpress installation.
Site title: Pentest
Lab
Username: admin
Password: password
Email: (your email
ID)
At last click on “install
wordpress” tab given at the end of window.
Once wordpress will successfully install, click on log in as shown in given image.
Now enter your wordpress credential for login.
Great!! Finally our web site “pentest lab” is online
on localhost server and is ready posting articles and blogs.
Now we need to add
some Plug-in wordpress so that we can make wordpress penetration testing by
exploiting these plug-in based vulnerabilities. WordPress' plug-in architecture
allows users to extend the features and functionality of a website or blog.
Now type following command to give all permission to the
file and folder own by www-data of /var/www/html.
sudo chown –R
www-data /var/www/html
For penetration testing practice we are going to download
some vulnerable plug-in so that we have our own vulnerable wordpress site.
We had downloaded a vulnerable plug-in “reflex gallery 3.1.3
arbitrary file upload” found from inside the exploit-db.com, you can download
many other vulnerable plug-in from exploit database.
Now login into wordpress as admin to access administration
control panel and then select plugins option
from dashboard and go for new plugin
so that you can add your install plug-in in your wordpress.\
Now browse you
downloaded zip file and then click on upload
plugin for installation.
It will install plug-in into wordpress, now to activate it
click on given tab Activate Plugin
as shown in given image.
Similarly you can install as much as can be possible
vulnerable plug-in into wordpress. You can see we had installed many plug-in
inside our wordpress so that we can make more practice on wordpress penetration
testing which you will learn in our next upcoming article.
Wait for our next article where you will how exploit
wordpress plug-in base vulnerability.
0 comments:
Post a Comment