Wordpress
Wordpress is an open-source Content Management System (CMS) written in PHP and coupled with a MySQL database . It is also notorious for being a security nightmare, with several ways to exploit it .
Key WordPress files/folders
The index.php file is obviously the homepage of our php instance
The license.txt file contains misc information, including but not limited to the version information
The wp-admin folder grants access to the administrative dashboard, which can usually be located at the following adresses ; -/wp-admin/login.php -/wp-admin/wp-login.php -/login.php -/wp-login.php
The wp-config.php contains the various informations needed to connect to the database (database name/host/username and password)
Enumeration with wpscan
Wpscan is a tool used to enumerate Wordpress instances . It's baseline syntax looks like this ;
wpscan --url http://[target]:[target port] --enumerate [options]Said options are ;
vp for Vulnerable plugins
ap for All plugins
p for Popular plugins
vt for Vulnerable themes
at for All themes
t for Popular themes
tt for Timthumbs
cb for Config backups
dbe for Db exports
u for User IDs range. e.g: u1-5
m for Media IDs range. e.g m1-15
Please note that for the vp/ap/p and vt/at/t groups, only one option can be used at a time, as they are otherwise mutually exclusive.
RCE via Theme Editor
It is possible to enable a remote code execution by embedding a php reverse shell into the Theme's php code, via the Theme Editor.
The 404.php page which template we just edited can now be queried at [wordpress_root]/wp-content/themes/twentyseventeen/404.php and will give us a reverse shell, provided we opened the specified port on our machine, of course.
RCE via Plugin Editor
Last updated
Was this helpful?