How to test WordPress website penetration

Preface
The English level is limited. Many translation areas are not fluent. Please refer to haihan. I admire the author at the beginning of this article, because every step is described in detail in this article, which is especially rare for beginners. So I decided to translate this article for your reference.
Body
Original question: How Hackers Target and Hack Your Site
The answer to this question is hard to determine because hackers have multiple ways to attack a website. This article aims to show you common attack techniques and methods.
We assume this is Your Website: hack-test.com
 


First, ping the IP address of the website:
 
Now we get the website Server IP Address: 173.236.138.113, which is the hosting IP address of our website server.
Next we will go to sameip.org to find the same IP host:
 
There are 26 results. Only 10 results are available for space reasons.
ID Domain
1 hijackthisforum.com
2 sportforum.net
3 freeonlinesudoku.net
4 cosplayhell.com
5 videogamenews.org
6. gametour.com
7 qualitypetsitting.net
8 brendanichols.com
9 8ez.com
Hack-test.com 10
We need more information, such:
1. DNS records (A, NS, TXT, MS, and SOA );
2. Web server type (Apache, IIS, and Tomcat)
3. Registration Information (your domain name registration Company)
4. Name, address, email, and phone number
5. footfall language used by the website (php, asp, asp.net, jsp)
6. server operating system types (Unix, Linux, Windows, Solaris, etc)
7. Open Server ports (80, 443, and 21)
Let's get the information and open the who. is website.
 


After searching, we found the DNS record information for the hack-test.com:
Record Type TTL Priority Content
Hack-test.com A 4 hours 173.236.138.113
Hack-test.com SOA 4 hours ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400
Hack-test.com NS 4 hours ns1.dreamhost.com
Hack-test.com NS 4 hours ns3.dreamhost.com
Hack-test.com NS 4 hours ns2.dreamhost.com
Www.hack-test.com A 4 hours 173.236.138.113
The following is the server type information:
 
We can see that the server type is Apache
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit: 1 months: 2.0 3 Month: 3.7
Next, find the domain name registration information, registrant, address, email, and phone number:
 
Now we have your registration information and other virtual information. We use the BackTrack5 R1 Whatweb program to obtain the operating system type and Web server version of your website:
 

 
We found that the website uses a famous PHP program WordPress. The server type is Fedora Linux, and the Web server version is Apache 2.2.15.
Next, find the port opened by the server. We will use Nmap to complete port scanning:
1. Search for services running on the server
Root @ bt:/# nmap-sV freebuf.com
Starting Nmap 5.59BETA1 (http://nmap.org) at EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.0013 s latency ).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 (Fedora ))
MAC Address: 00: 0C: 29: 01: 8A: 4D (VMware)
 
Service detection completed MED. Please report any incorrect results at http://nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2. Search for the server operating system
Root @ bt:/# nmap-O freebuf.com
Starting Nmap 5.59BETA1 (http://nmap.org) at EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.00079 s latency ).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
MAC Address: 00: 0C: 29: 01: 8A: 4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop
OS detection completed MED. Please report any incorrect results at http://nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
Only port 80 is enabled on the server, and the server type is Linux 2.6.22 (Fedora Core6)
Now we have collected all the information about the server. Next we will start the vulnerability scan:
SQL Injection, blind injection, local/Remote File Inclusion, cross-site scripting attacks, cross-site forgery requests, and so on.
We will use Nikto. pl To collect vulnerability information:
Root @ bt:/pentest/web/nikto # perl nikto. pl-h http://hack-test.com
-Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.1.2
+ Target Hostname: hack-test.com
+ Target Port: 80
+ Start Time: 2011-12-29 06:50:03
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (Fedora)
+ ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: http trace method is active, suggesting the host is vulnerable to XST.
+ OSVDB-3268:/icons/: Directory indexing found.
+ OSVDB-3233:/icons/README: Apache default file found.
+ 6448 items checked: 1 error (s) and 6 item (s) reported on remote host
+ End Time: 2011-12-29 06:50:37 (34 seconds)
---------------------------------------------------------------------------
+ 1 host (s) tested
 
We will also use W3AF:
Root @ bt:/pentest/web/w3af #./w3af_gui
Starting w3af, running on:
Python version:
2.6.5 (r265: 79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.20.
W3af-Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.
 


Enter the URL and select the Full_audit option:
 
After a period of time, W3af completed the scan:
 
The website has risks such as SQL injection, XSS attacks, and others.
Let's take a look at the SQL injection vulnerability:
 
Http://hack-test.com/Hackademic_RTB1? Cat = d % 27z % 220, which is the vulnerability address and parameter location.
Due to space limitations, I directly provide the translated PDF file. Please download [rename it rar and decompress it].
End
Finally, the translation was completed. It lasted for about one week and there were too many things. I was too busy to use my spare time. Please forgive me for many shortcomings in translation, translation in some places is added to your understanding. In general, you can still understand the documentation.
 
Wish FreeBuf is thriving!
By G. r0b1n from: FreebuF. COM