Wordpress is an open-source Content Management System (CMS) written in PHP and coupled with a MySQL database . It is also notorious for being a security nightmare, with several ways to exploit it .
Key WordPress files/folders
The index.php file is obviously the homepage of our php instance
The license.txt file contains misc information, including but not limited to the version information
The wp-admin folder grants access to the administrative dashboard, which can usually be located at the following adresses ;
-/wp-admin/login.php
-/wp-admin/wp-login.php
-/login.php
-/wp-login.php
The wp-config.php contains the various informations needed to connect to the database (database name/host/username and password)
Enumeration with wpscan
Wpscan is a tool used to enumerate Wordpress instances . It's baseline syntax looks like this ;
Said options are ;
vp for Vulnerable plugins
ap for All plugins
p for Popular plugins
vt for Vulnerable themes
at for All themes
t for Popular themes
tt for Timthumbs
cb for Config backups
dbe for Db exports
u for User IDs range. e.g: u1-5
m for Media IDs range. e.g m1-15
Please note that for the vp/ap/p and vt/at/t groups, only one option can be used at a time, as they are otherwise mutually exclusive.
RCE via Theme Editor
It is possible to enable a remote code execution by embedding a php reverse shell into the Theme's php code, via the Theme Editor.
Modifying the php code of the "Twenty Seventeen" theme
The 404.php page which template we just edited can now be queried at [wordpress_root]/wp-content/themes/twentyseventeen/404.php and will give us a reverse shell, provided we opened the specified port on our machine, of course.
