WordPress
WordPress is a system that was created to build and manage blogs. It's now widely used for any kind of website. There are ton of plugins making it fast and easy to create websites π.
- Learning websites π§βπ: search for "LMS" plugins
- Manga websites π: search for "madara" or "MangaStream"
- ...
β οΈ Note that most themes/plugins are paid.
Useful links?
- wpgiz (blog)
- themeforest (themes) or jojo-themes (themes)
WordPress Pentester Notes β οΈ
There are two paid solutions to attack WordPress: Jetpack and WPScan. WPScan is providing a CLI tool for free and for non-commercial use available here (8.0k β).
# before every scan, update the local metadata database
$ wpscan --update # may be automatically performed
You can enumerate themes, plugins, and usernames. By default, without -e
, it will scan using -e vp,vt,tt,cb,dbe,u,m
.
# Look into the HTML, /wp-content/themes/... for themes
$ wpscan --url URL -e t
$ wpscan --url URL -e vt # vulnerable themes
# Look into /wp-content/plugins/pluginname/... for plugins
# Use the README in each plugin to find the version
$ wpscan --url URL -e ap # all plugins
$ wpscan --url URL -e p # popular plugins
$ wpscan --url URL -e vp # vulnerable plugins
# Find users (look for ID in posts...)
$ wpscan --url URL -e u
$ wpscan --url URL --enumerate u # same
You may have to add --random-user-agent
to by-pass a simple WAF:
$ wpscan [...] --random-user-agent
You can use WPScan/hydra/... to bruteforce the login form. When using the tool, you may also use xmlrpc
instead of the login page.
$ wpscan --url URL -P wordlist -U username # ", username2, etc."
$ wpscan [...] --password-attack xmlrpc # use xmlrpc, faster
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -V
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=is incorrect.' -V
β οΈ Don't use WordPress RPC API if you haven't tested that it works.
You can select a mode between aggressive/passive when scanning. Some results might not be visible according to the mode selected, so you should try both if you can.
$ wpscan --url URL -e t --plugins-detection aggressive
$ wpscan --url URL -e t --plugins-detection passive
You can increase the number of threads:
$ wpscan [...] -t 5 # default
The CLI can be unleashed with WPScan API that will retrieve vulnerabilities when scanning. The limit is 25 requests per day. See Optional: WordPress Vulnerability Database API. You can also browse vulnerabilities manually: WordPress, Plugins, and Themes.
# To list vulnerabilities, add a "v" before the enumerated type
# ex: vulnerable plugins
$ wpscan --url URL -e vp
To do it manually
- WordPress version is in the source code (
<meta name="generator" content="WordPress X.Y.Z">
) - Plugin and Theme names/versions are often loaded from the source code (link/script). The URL may include the version.
- Both WordPress, Plugins, and Themes may have a
readme.html
- Look for links to user accounts, iterate
/?author=<id>
, or use/wp-json/wp/v2/users
for versions before 4.7.1 - You can try to look in
/robots.txt
for something unexpected
Exploit WordPress
π» To-do π»
Stuff that I found, but never read/used yet.
WordPress Hardening
- Remove unused themes, and plugins
- Hide username
- Disable register
- Use security plugins (change login page URL, ban IPs...)
- Admins can write HTML in comments, it will be executed, but not normal users
- Deactivating plugins doesn't remove its files
- Auto-update? (themes and plugins too)
- Install only trusted themes/plugins
- sucuri-scanner, better-wp-security, wordfence
Configuration
- wp-config.php > can enable debug with "WP_DEBUG"
- set the main page > settings > reading > static page
- usually apache (
/var/www/html
) and mysql
Plugins
- Elementor
Stuff
- CMA, CDA
- WYSIWYG
-
/wp-admin/
,login.php
,wp-login.php
-
xmlrpc.php
(XML API) -
wp-content/uploads/
,wp-content/plugins/
,wp-content/themes/
-
wp-includes
-
select user_login,user_pass from wp_users;
- 10 levels of access, 5 (actually 6 with SA) roles