Wordpress
Last updated
Was this helpful?
Last updated
Was this helpful?
WordPress is a popular content management system.
is a WordPress security scanner which can enumerate version, themes, plugins and brute-force credentials.
There is the meta tag for WordPress in the head tag of the HTML source code.
We can use following commands and enumerate wordpress version
To check whether you have access, send the following request. If it returns methods, it is enabled:
wp.getUserBlogs, wp.getCategories or metaWeblog.getUsersBlogs are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
If we have access to a privileged Wordpress account. We can try to execute PHP code from the admin dashboard to get a reverse shell.
It may be possible to edit PHP from the theme used. For this;
Access to dashboard (/wp-admin/).
Move to "Appearance" and select theme e.g. "Twenty Seventeen".
Click "Theme Editor" or "Editor" in the "Appearance" section.
In the theme editor, click "404 Template (404.php)" on the right.
Access "https://vulnerable.com/wp-content/themes/twentyseventeen/404.php". We should get the target shell in the netcat listener.
This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.
If you have user credential and you have Author's permissions, you may exploit this XEE that lead to an arbitrary file disclosure.
First off, create "exploit.wav". (change your ip)
Next create "exploit.dtd". (change the resource var to the wanted file)
Then we can start the PHP server on the attacking machine
Now, In target website, login as normal user and go to "Media", click "Add New". Upload the "exploit.wav". After that, open the WAV file. You should see the base64 information revealed in your console.
To decode the Base64, create “decode.php” as following.
Execute the script to decode it
The Crop-image Shell Upload exploit take advantage of a path traversal and a local file inclusion vulnerability on WordPress. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post.
If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost):
Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the reset password email to the attacking domain.
Try to access following url and the Worpress site may make a request to you.
The wp-config.php file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
With database credentials we can dump username and password and change admin password e.g. with mysql:
If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process for example).
Also, we can use to confirm the results.
Copy and paste the or the .
Insert or PHP code into the file (e.g. plugin_name.php) and update $ip and $port.
Alternatively, we can craft a malicious plugin and install it using the python script.
We can use to perform the attack:
Or we may use
We can use . It checks if the methodName: pingback.ping and for the path /wp-json/oembed/1.0/proxy and if exists, it tries to exploit them.
