Wordpress
Wordpress
Brute-force
http://$IP/wp-admin
,http://$IP/wp-login.php
Metasploit
brute-force:
msf > use auxiliary/scanner/http/wordpress_login_enum
Check
http://$IP/wp-content/themes
,http://$IP/wp-content/uploads
Possible attack vectors:
After login, upload php reverse shell in
404.php
of a theme (wp-content/themes/twentynineteen/404.php
)msf > use exploit/unix/webapp/wp_admin_shell_upload
Upload malicious plugins in zip
Check interesting files:
/var/www/wp-config.php
Check plugins’ vulnerability
WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack
Where uploads are stored
<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>
e.g.
WordPress Enumeration
wpscan --url <url> -e vt,tt,u,ap -o wpscan.log
WordPress Bruteforcing
wpscan --url <url> --wordlist <wordlist> --username <username>
Navigate to:
Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side)
Spawn Shell From WP Admin Access
Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script)
Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php to trigger the payload
Last updated