dfir / web / wordpress

• Analysing XSS injection in MYD
• Starting MySQL server
• Querying imported MYD files
• Stopping MySQL server

Analysing XSS injection in MYD

Copying the MYD files on csirt-sans-sift

• Create a new folder in /var/lib/mysql/database-name and give to database-name the name you want:

  sudo mkdir /var/lib/mysql/springfield
  

• Upload the files in the created new folder with WinSCP
• Change the linux owner permissions for those files to mysql:mysql:

  sudo chown mysql:mysql  -r /var/lib/mysql/springfield/
  

Starting MySQL server

Run the command  ``` sudo mysql start -u root -p   ```

Launch mysql client as per below :

mysql > use acme;
mysql > exit

Querying imported MYD files

Based on timestamps of the XSS attack on the ACME website via WordPress, we had to check if the MySQL backups were sain.

We parsed for the iframe injection in the table hbrhui used by the fancybox vulnerable plugin (Sucuri Article).

mysql > SELECT option_value FROM wp_hbrhui_options WHERE CHAR_LENGTH(option_value) > 50 INTO OUTFILE '/tmp/dump_20_option_name.txt';

Greping for URL of redirection, we proof the backup is compromised.

Stopping MySQL server

Run the command:

sudo mysql stop