Wordpress penetration testing
In this article we will see how we can enumerate a wordpress website and how we can find login credentials of a particular website . In this tutorial we will use wpscan tool available in Kali Linux OS.
Table of Content :
Introduction to WPscan
Normal Scan
Enumerating plugins
Enumerating vulnerable plugins
Enumerating themes
Enumerating vulnerable themes
Getting a session using metasploit
Enumerating users and finding credentials
Uploading a file to get reverse shell
Uploading a payload
Introduction to WPscan
use this link to get the latest version git clone https://github.com/wpscanteam/wpscan.git then change directory to wpscan using cd command and then go to bin directory and from there we will execute wpscan

this tool performs black box testing to find vulnerable wordpress themes ,plugins and version.
Normal Scan
In this section will try to find the wordpress version by using a simple command.
We have detected the Wordpress version successfully. Command used :
./wpscan --url http://127.0.0.1
Please change the URL of the targeted website. As I am hosting a wordpress website on my local machine so i have used this URL

Enumerating plugins
Plugins are a small piece of code of a program which can be added to a WordPress website to extend its functionality.
With the help of command : ./wpscan --url http://127.0.0.1 --enumerate p
we can easily find installed plugins on the target wordpress website, as shown in the image

Enumerating vulnerable plugins
In this case only a single plugin is present so not a problem and this can be vulnerable. But if we detect so many plugins then by running the command
./wpscan --url http://127.0.0.1 --enumerate vp
we can detect vulnerable plugins installed in the wordpress website.

Enumerating themes
theme controls overall look of the website like font ,font color,font size and other things.
Now in the same fashion we can detect Wordpress themes installed . command used:
./wpscan --url http://127.0.0.1 --enumerate t

Enumerating vulnerable themes
To scan the installed vulnerable theme of WordPress website type following command: ./wpscan --url http://127.0.0.1 --enumerate vt

No vulnerable themes find.
Getting a session using meteasploit
We have detected a vulnerable plugin so after searching in the metasploit we found a exploit for the vulnerable plugin and we will use that exploit to get a session.
exploit used : exploit/unix/webapp/wp_reflexgallery_file_upload


We can see that we have successfully opened a meterpreter session
Enumerating users and finding credentials
There is a page in wordpress website to login into the panel of website ,from there we can control the complete website and it is http://127.0.0.1/wp-login.php

Now to login into the main panel we need username and password and for that we need to find username . To find username we will use the command:
./wpscan --u http://127.0.0.1 --enumerate u
