WordPress

hackingwordpress attacking_common_applications

WordPress is a system that was created to build and manage blogs. It's now widely used for any kind of website. There are ton of plugins making it fast and easy to create websites πŸš€.

  • Learning websites πŸ§‘β€πŸŽ“: search for "LMS" plugins
  • Manga websites πŸ“š: search for "madara" or "MangaStream"
  • ...

☠️ Note that most themes/plugins are paid.

Useful links?


WordPress Overview

Common WordPress Endpoints

Files

Folders

Themes are stored in /wp-content/themes/<theme_name>/.

Plugin files are stored in /wp-content/plugins/<plugin_name>/. There is usually a readme.html explaining how it works.

Uploaded files are stored in /wp-content/uploads/.

Critical internal WordPress files are stored in /wp-includes.


WordPress Pentester Notes ☠️

hackingwordpress attacking_common_applications webenumerationv2 wordpress

WordPress Enumeration

cyberweek2021 allinonemj wordpresscve202129447 techsupp0rt1 blog blocky

You can enumerate metadata, themes, plugins, and usernames.

  • You can use WPScan to enumerate most of it
$ wpscan --url URL
$ wpscan --url URL -e u  # users
$ wpscan --url URL -e t  # themes (or 'vt')
$ wpscan --url URL -e ap # plugins (or 'p' or 'vp')
$ wpscan --url URL [...] --plugins-detection aggressive
  • Manually explore /wp-content/**/** if directory listing is enabled

  • WordPress version is in the source code or can be inferred from the default theme (<meta name="generator" content="WordPress X.Y.Z">)

  • Plugin and theme names/versions are exposed within the website source code (link/script). The URL may include the version.

  • Look for links to user accounts, iterate /?author=<id>, or use /wp-json/wp/v2/users for versions before 4.7.1. While crawling the website, you may also find URLs such as /author.

$ onectf crawl -u URL | grep author
  • You can try to look in /robots.txt for something unexpected

WordPress FootHold

cyberweek2021 colddboxeasy wordpresscve202129447 blog

  • The password may be weak and vulnerable to brute force:
$ wpscan --url URL -P wordlist -U username # ", username2, etc."
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -V
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=is incorrect.' -V

While using xmlrpc is faster, it's not always 'enabled.' Ensure it's present and enabled before using it. WPScan automatically checks if it can, but this check is bypassed using --password-attack xmlrpc.

WordPress Exploitation

Refer to:


πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

WordPress Hardening

  • Remove unused themes, and plugins
  • Hide username
  • Disable register
  • Use security plugins (change login page URL, ban IPs...)
  • Admins can write HTML in comments, it will be executed, but not normal users
  • Deactivating plugins doesn't remove its files
  • Auto-update? (themes and plugins too)
  • Install only trusted themes/plugins
  • sucuri-scanner, better-wp-security, wordfence

Configuration

  • wp-config.php > can enable debug with "WP_DEBUG"
  • set the main page > settings > reading > static page
  • usually apache (/var/www/html) and mysql

Plugins

  • Elementor
  • JetPack

Stuff

  • CMA, CDA
  • WYSIWYG
  • /wp-admin/, login.php, wp-login.php
  • xmlrpc.php (XML API)
  • select user_login,user_pass from wp_users;
  • 10 levels of access, 5 (actually 6 with SA) roles