WordPress Pentest Lab Setup
in Multiple Ways
In
this post, we will demonstrate how to set-up our own Vulnerable WordPress CMS
for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.
Table of Content
·
For Ubuntu 20.04
·
For Docker in Ubuntu 20.04
·
For XAMP server in Windows
WordPress
Setup in Ubuntu 20.04
In order to configure
Wordpress in your Ubuntu platform, there are some prerequisites before we
install the CMS.
Prerequisites for
wordPress
Apache
Database (MySQL/Mariadb)
PHP
Install Apache
To Start HTTP service with the help of Apache thus,
using privilege account (as root) execute the following command in the
terminal.
apt install apache2
For run WordPress, you will also need a database server. The database server
is where WordPress content is saved. So, we are going choose MariaDB-server as
the required database for Wordpress and execute the following command
apt install mariadb-server mariadb-client
Next, execute the following commands to
protect remote root login for the database server.
mysql_secure_installationThen respond to questions asked after the command has been executed.
§
Enter current password for root (enter for none): press the
Enter
§
Set root password? [Y/n]: Y
§
New password: Enter password
§
Re-enter new password: Repeat password
§
Remove anonymous users? [Y/n]: Y
§
Disallow root login remotely? [Y/n]: Y
§
Remove test database and access to it? [Y/n]: Y
§
Reload privilege tables now? [Y/n]: Y
And at last install the php php-mysql and run the following command to install these application.
apt
install php php-mysql
Create Database
for WordPress
To access the
mysql, enter the following command
mysql –u root
–p
CREATE
DATABASE wordpress;
CREATE USER ‘wp_user’@’localhost’
IDENTIFIED BY ‘password’;
GRANT ALL ON
wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
FLUSH
PRIVILEGES;
exit;
WordPress Installation &
Configuration
Now, its time to download and install the
WordpPress on our localhost, with the help of wget we have fetched the
compressed file of wordpress setup and extract the folder inside /var/www/html
directory.
cd
/var/www/html
wget
http://www.wordpress.org/latest.tar.gz
tar –xvf latest.tar.gz
Then run the given command to change
ownership of ‘wordpress’ directory as well permission for upload directory.
chown -R www-data:www-data wordpress/
chmod -R 755
wordpress/
mkdir wordpress/wp-content/uploads
chmod -R
www-data:www-data wordpress/wp-content/uploads
Now, till here we are done with
installation, to configure WordPress we need to access the application over web
browser on localhost by executing following.
http://localhost/wordpress/
This will open the setup file and ask to
choose your preferred language. I select English and then press the continue
Tab.
Read the given content and press Let’s go
to continue the activity.
To continue the activity, we need to enter
the required details that will help the application to connect with database,
thus it should be the same information that we have entered above at the time
of database was created for WordPress.
And if your above given detail is correct,
you get the Installation page as we have here.
Now after that, it will ask you enter
details for your Website which you want to host using WordPress CMS as shown in
the below and then finally click on install Tab.
Note: The User and Password asked before
the installation is referred to your Database information, and the username and
password asked after installed is referred to your application (CMS).
And once it is done, you get application
login page where you have to enter credential to access the dashboard of your
CMS.
You get the dashboard where you can write
your content that to be posted on the website.
Open the
wp-config.php file in wordpress directory and paste the following lines in it
to access the website page.
define(‘ WP_SITEURL ‘, ‘http://’ .S_SERVER[‘HTTP_HOST’].’/wordpress’);
define(‘ WP_HOME ‘, ‘http://’
.S_SERVER[‘HTTP_HOST’].’/wordpress’);
And Finally, it is over here, and your
WordPress is completely ready to go😊.
Install WordPress using Docker
Install WordPress through will release your
effort of installing prerequisites for WordPress setup. I very easy and quick
technique to configured WordPress. All you need to have some basic knowledge of
Docker and its functionalities.
To
install wordpress using docker, first we will update the Ubuntu repository and
then install the latest version of docker.io. Let’s start the installation of
docker packages with the apt command as below:
apt
install docker.io
Docker Compose is used to run multiple containers as a single service.
Let’s begin the installation of docker-compose with the help of apt by entering
following command.
apt install
docker-compose
After installing the composer for the
Docker, we must create a directory by the name of wordpress.
After creating the directory, we will
create a .yml file that will contain the service definitions for your setup.
mkdir wordpress
cd wordpress/
nano docker-compose.yml
Now Paste the following text in the .yml and
the configuration.
version: '3.3'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress
WORDPRESS_DB_NAME: wordpress
volumes:
db_data: {}
Now the docker image in detach mode using
following command
docker–compose up -d
After the
doing all the configuration step-by-step, now access the localhost on port 8000
that will be hosting your WordPress Docker image and configure your WordPress
site as done in previous section.
You get the dashboard where you can write
your content that to be posted on the website. But here we
need to make some changes inside the setting so that the wordpress after
installation it will work properly. Thus, enter your localhost ip address with
port number on which your docker image is running.
And Finally, it
is over here, and your WordPress is completely ready to go but over port 8000
as shown here 😊.
Install Wordpress on Windows Platform
Installation of WordPress is also very easy
as compared to ubuntu, because to fulfil the prerequisites of LAMP Server we
can use XAMPP that will completed the all required dependency like apache and
MySQL for the WordPress.
Now download the extract the zip file of
WordPress inside the /htdocs folder in /xampp folder in C-Drive.
Now open the PHPMYADMIN in web browser by
accessing /localhost/phpMyAdmin and create the database for Wordpress to stored
its data.
Now in order to configure wordpress,
explore the /localhost/wordpress/ and then enter the detail for database.
Note: By
Default, XAMPP DB_User is root and DB_Pass is empty
So as per XMAPP database configuration we
entered following details in the given record.
Now again repeat the same step as done in
above section.
You get the dashboard where you can write
your content that to be posted on the website.
To make it vulnerable WordPress platform in
order to perform penetration testing I install some vulnerable plugin as
highlighted in the image.
To know how we can go do WordPress
Penetration testing read this
article.
