Wordpress
最后更新于
这有帮助吗?
最后更新于
这有帮助吗?
Uploaded files go to: Themes files can be found in /wp-content/themes/, so if you change some php of the theme to get RCE you probably will use that path. For example: **Using theme twentytwelve you can access the 404.php file in: [/wp-content/themes/twentytwelve/404.php]() Another useful url could be: [/wp-content/themes/default/404.php*](***
In wp-config.php you can find the root password of the database.
Default login paths to check: /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/
Inside the Wordpress folder try to access:
/wp-json/wp/v2/users -- This could leak usernames
/wp-json/wp/v2/pages -- This could leak IP address
If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources.
To see if it is active try to access to /xmlrpc.php and send this request:
wp.getUserBlogs, wp.getCategories or metaWeblog.getUsersBlogs are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
The message "Incorrect username or password" inside a 200 code response should appear if the credentials aren't valid.
Also there is a faster way to brute-force credentials using system.multicall as you can try several credentials on the same request:
If you can find the method pingback.ping inside the list you can make the Wordpress send an arbitrary request to any host/port. This can be used to ask thousands of Wordpress sites to access one location (so a DDoS is caused in that location) or you can use it to make Wordpress lo scan some internal network (you can indicate any port).
If you get faultCode with **a value greater then 0** (17), it means the port is open.
Take a look to the use of system.multicallin the previous section to learn how to abuse this method to cause DDoS.
This file usually exists under the root of the Wordpress site: /wp-cron.php
When this file is accessed a "heavy" MySQL query is performed, so I could be used by attackers to cause a DoS.
Also, by default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).
This is the response when it doesn't work:
This tool checks if the methodName: pingback.ping and for the path /wp-json/oembed/1.0/proxy and if exists, it tries to exploit them.
Appearance → Editor → 404 Template (at the right)
Change the content for a php shell:
You can use:
to get a session.
Extract usernames and passwords:
Change admin password:
Using the correct credentials you can upload a file. In the response the path will appears ()
Try to access and the Worpress site may make a request to you.
Search in internet how can you access that updated page. In thi case you have to access here:
