Wordpress
Discovery & Enumeration
Note: We can use the waybackurls tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw.
Tools
https://github.com/wpscanteam/wpscan
Signs Wordpress are installed through /robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/
Sitemap: https://inlanefreight.local/wp-sitemap.xmlThe presence of the /wp-admin and /wp-content directories would be a dead giveaway that we are dealing with WordPress.
WordPress stores its plugins in the
wp-content/pluginsdirectory.Themes are stored in the
wp-content/themesdirectory.
There are five types of users on a standard WordPress installation.
Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.
Editor: An editor can publish and manage posts, including the posts of other users.
Author: They can publish and manage their own posts.
Contributor: These users can write and manage their own posts but cannot publish them.
Subscriber: These are standard users who can browse posts and edit their profiles.
Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.
Footprint enumeration
Enumeration users
Automate enumeration tools
Panel RCE
Modifying a php from the theme used (admin credentials needed)
Appearance → Theme Editor → 404 Template or footer (at the right)
Change the content for a php shell:
Last updated