Skip to content

Discovery & Enum

  • WordPress is written in PHP and usually runs on Apache with MySQL as the backend.
  • its customizability and extensible nature make it prone to vulnerabilities through third-party themes and plugins

Discovery

  • /robots.txt
    • if it contains wp-admin or wp-content
  • when we try to access wp-admin/, we are directed to a wp-login.php page
  • WordPress stores its plugins in the wp-content/plugins directory.
  • Themes are stored in the wp-content/themes directory.
  • There are five types of users on a standard WordPress installation.
    1. Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.
    2. Editor: An editor can publish and manage posts, including the posts of other users.
    3. Author: They can publish and manage their own posts.
    4. Contributor: These users can write and manage their own posts but cannot publish them.
    5. Subscriber: These are standard users who can browse posts and edit their profiles.
  • Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

Enum

  • page source can also give away if we're dealing with wordpress 
    curl -s http://blog.inlanefreight.local | grep WordPress

<meta name="generator" content="WordPress 5.8" /

View page source, and search for:

  • wp-content
  • themes
  • plugins
  • we can see that Business-Gravity theme is used. Can try to find the version number
  • we know that mail-masta, content form 7 plugins are used. try to find versions for these.
    • clicking on these links and trying to manipulate URLs, we can see that directory listing is enabled.
    • Now we know that stable version 1.0.0 is used for mail-masta. - https://www.exploit-db.com/exploits/50226

  • Moving on to other pages and doing the same
  • we find wpDiscuz:
    • force browsing the readme.txt we get that the version is 7.0.4 - https://www.exploit-db.com/exploits/49967
  • We'll note this down and move on.
  • It is important at this stage to not jump ahead of ourselves and start exploiting the first possible flaw we see, as there are many other potential vulnerabilities and misconfigurations possible in WordPress that we don't want to miss.

Enumerating Users

  • enter valid username/invalid username and see the difference
  • This makes WordPress vulnerable to username enumeration, which can be used to obtain a list of potential usernames.
  • Let's recap. At this stage, we have gathered the following data points:
    • The site appears to be running WordPress core version 5.8
    • The installed theme is Business Gravity
    • The following plugins are in use: Contact Form 7, mail-masta, wpDiscuz
    • The wpDiscuz version appears to be 7.0.4, which suffers from an unauthenticated remote code execution vulnerability
    • The mail-masta version seems to be 1.0.0, which suffers from a Local File Inclusion vulnerability
    • The WordPress site is vulnerable to user enumeration, and the user admin is confirmed to be a valid user

WPScan

  • Automated
  • use API-token from https://wpscan.com/profile/
  • wpscan --url http://URL --enumerate --api-token <from_above>
    • runs with 5 threads by defaults
    • to change: -t 7
  • wpscan --url http://ir.inlanefreight.local --enumerate u --no-update
    • get users

More enum

  • Find other plugins
    • ffuf -w /opt/SecLists/Discovery/Web-Content/wordpress-popular-plugins.txt -u 'http://blog.inlanefreight.local/wp-content/plugins/FUZZ'
  • Find other directories
    • ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -u 'http://blog.inlanefreight.local/wp-content/FUZZ'