WordPress Attacking

 

WordPress is the most popular open source Content Management System (CMS), powering nearly one-third of all websites in the world. It can be used for multiple purposes, such as hosting blogs, forums, e-commerce, project management, document management, and much more. WordPress is highly customizable as well as SEO friendly, which makes it popular among companies. It has a large library of extensions called themes and plugins, both free and paid, that can be added to enhance the website. Some examples of plugins are WPForms, a robust contact form, MonsterInsights that interfaces with Google Analytics, and Constant Contact, a popular email marketing service. However, its customizability and extensible nature make it prone to vulnerabilities through third-party themes and plugins. WordPress is written in PHP and usually runs on Apache with MySQL as the backend. Many hosting companies offer WordPress as an option when creating a new website and even assist with backend tasks such as security updates.This module will cover a WordPress website's core structure, manual and automated enumeration techniques to uncover misconfigurations and vulnerabilities, and walk through a few common attacks. You will be given the opportunity to perform your own enumeration and attacks against a WordPress instance while working through the material in each section.

What is a CMS?

A CMS is a powerful tool that helps build a website without the need to code everything from scratch (or even know how to write code at all). Most CMS' provide a rich What You See Is What You Get (WYSIWYG) editor where users can edit content as if they were working in a word processing tool such as Microsoft Word. Users can upload media directly from a media library interface instead of interacting with the webserver either from a management portal or via FTP or SFTP.

A CMS is made up of two key components:

• A Content Management Application (CMA) - the interface used to add and manage content.
• A Content Delivery Application (CDA) - the backend that takes the input entered into the CMA and assembles the code into a working, visually appealing website.

A good CMS will provide extensibility, allowing you to add functionality and design elements to the site without needing to work with the website code, rich user management to provide fine-grained control over access permissions and roles, media management to allow the user to easily upload and embed photos and videos, and proper version control. WordPress can be installed on a Windows, Linux, or Mac OSX host.WordPress requires a fully installed and configured LAMP stack (Linux operating system, Apache HTTP Server, MySQL database, and the PHP programming language) before installation on a Linux host. After installation, all WordPress supporting files and directories will be accessible in the webroot located at /var/www/html.

Below is the directory structure of a default WordPress install, showing the key files and subdirectories necessary for the website to function properly.

Default File Structure: /var/www/html

Key WordPress Files

The root directory of WordPress contains files that are needed to configure WordPress to function correctly.

• index.php: is the homepage of WordPress.

• license.txt: contains useful information such as the version WordPress installed.

• wp-activate.php: is used for the email activation process when setting up a new WordPress site.

• wp-admin: folder contains the login page for administrator access and the backend dashboard. Once a user has logged in, they can make changes to the site based on their assigned permissions. The login page can be located at one of the following paths: 

• Note: This file can also be renamed to make it more challenging to find the login page.

• xmlrpc.php: is a file representing a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.

• wp-content: folder is the main directory where plugins and themes are stored. The subdirectory uploads/ is usually where any files uploaded to the platform are stored. These directories and files should be carefully enumerated as they may lead to contain sensitive data that could lead to remote code execution or exploitation of other vulnerabilities or misconfigurations.
• WP-Content structure:

• /var/www/html/wp-content

• wp-includes: contains everything except for the administrative components and the themes that belong to the website. This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
• WP-Includes structure:
• var/www/html/wp-includes

• wp-config.php: file contains information required by WordPress to connect to the database, such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.

wp-config.php file look likes:

          

WordPress User Roles:

• Administrator: this user has a Administrative power as a result this user can anything in the website something adding or something deleting.
• Editor: An editor can only publish and manage post , including the other users post
• Author: An author can only publish and manage their own post.
• contributor: A contributor can manage his won post but can't published.
• subscriber: Who can browse the post and edit their won profile.

First of all we can check that which file is allow and which is disallow by typing /robots.txt at the end of the url. as you can see that which file you can access and not. then we go to the deep.

see this here is allow every path.

                            Core Version Enumeration of WordPress

Now in this step we will Enumerate the WordPress core version. It is always important to know that which kind of services are running and it's version . it is essential in the enumeration phase . because a new version comes in when the previous version become vulnerable in many ways or find and misconfiguration . so it is important  that we need to enumerate the core version of it that which kind of vulnerability it has.  as a result it could be easy to exploit.so remember it. you could find or  see the web page source code or curling the site you can try to find out the version. here you can see that we find out the version by using an extantion Wappalyzer and second is a tool called whatweb.

Now lets try to curling and page source. if yo want to see the page source code type cltr+U or mouse right click and bottom option view page source click there  and fin out something like now i'm trying to find out the version just type cltr+f than a pup up will be show there type what you want . in this cases i have try for version . see here it show the all thing version .

this is our wordpress version. this version is under the css item . so check everything.

                     WordPress Themes & Plugins Enumerations:

There are many ways to enumerate themes and plugins.

1. online tools: like InspectWP, Scan WP, WPDetector, What WordPress Theme Is That. these are populer site for wordpress theme detector. Just past the site url .

2. Manually: inspect the site or see the page source code by typing ctrl+u and for search ctrl+f in search bar type wp-content/themes or wp-content/plugins. like this.

3. wpscanner: this is the default kali tools specially use for wordpress scan. here p means Plugins and t means themes.

4.curl:this screenshot you can see that the custom script give the output of theme.

now lets brake the query :

1. -s: -s means silent mode

2.-oP: Only Perl-compatible it means return only the match result.

3.(?<=/wp-content/themes/): this means positive lookbehind it's means first match this then go for next if not match go back. here is the condition is that if the wp-content/themes/ is match then go next.

 

4.[^/]: it's means any character without / sign .

5.+: it means as long as it match it is running.

Full Script : curl -s site url  | grep -oP '(?<=/ (what you want to discover)[^/]+'

5. Script: you can also enumerate themes and plugins through this script. (| sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2). lets explain first. | this the pip you know about it. then sed .The sed command, short for Stream Editor, is a powerful text-processing utility used in Unix-based systems like Linux. It can perform a variety of functions such as text substitution, deletion, and insertion in a stream of text. The s command is a part of sed (Stream Editor) and stands for "substitute." It's used to perform substitution operations on text.\n represents a newline character. /g This is a flag in sed that stands for "global." When you add /g at the end of a sed substitution command, it tells sed to replace all instances of the search pattern in each line, not just the first occurrence. cut -d"'" -f2: This cut command takes the filtered lines and splits each line using the single quote character ' as the delimiter (-d"'"). It then extracts and prints the second field (-f2) from each split line.

                             Directory Indexing

Directory indexing is a web server function that allows visitors to view a list of files within a directory when there is no index file present. Essentially, it creates a navigational tool for users to easily access files on a website. However, this feature can also pose a security risk if not properly configured. Attackers can exploit directory indexing vulnerabilities by crafting requests that trick the web server into listing the contents of a directory, potentially exposing sensitive files or information. so we need to check every path not only the active plugins but also the deactivated plugins also. it may still accessible . so we should if the plugins needn't delete or keep update it . here you can see that the plugins path we can access . 

this plugins has six unique Cross-Site Scripting (XSS) vulnerabilities. 

you can see it nice readable format in html .

                                          User Enumeration

User enumeration is a technique used by attackers to discover valid usernames associated with a WordPress site. By exploiting certain features, malicious actors can compile a list of usernames, which can then be used to launch brute force attacks. but Enumerating a list of valid users is a critical phase of a WordPress security assessment. there are some ways of enumeration the user .

Author Archives: Attackers can access author archives to collect usernames. For example, navigating to https://example.com/?author=1 will display a page of all posts published by the user with ID 1, revealing the username.  

For blog website: The first method is reviewing posts to uncover the ID assigned to the user and their corresponding username. If we mouse over the post author link titled "by admin," as shown in the below image, a link to the user's account appears in the web browser's lower-left corner. here you can see that when i put on my mouse in the bottom left corner it shows the author name.

we can specify the admin user by typing id in url. in generally the admin user is is assigned 1.  first try with 1 and then type a big number than see what happen. 

In business: you can try the site url .here you can see that the author 1 is exist . but next when i try with 2 than show not found.

Now I hope that you can easily Identify the point . we can try to identify  the user by increase the author number.

2.JSON endpoint: The second method requires interaction with the JSON endpoint, which allows us to obtain a list of users. This was changed in WordPress core after version 4.7.1, and later versions only show whether a user is configured or not. Before this release, all users who had published a post were shown by default. here you can see that the json api file. you can use it in url but than you can't identify it easily .so use curl and jq for well format.

you can see here that author 1 is 200 ok but the author 10 is 404 means not found.

3. Login Form: Brute forcing the username via the login form is possible. By examining the response to login attempts, you can determine if a username is valid.  here you can see that the first username is register but password not match in the next user name isn't register . so it is easy to identify the user name in login brut force attack.

4. Wpscan:  this is an automated process to find out the user . wpscan --url site url --enumerate u.

here you can see that the wpscan find the users. Actually the wpscan also use the json api.

Login: Once we are armed with a list of valid users, we can mount a password brute-forcing attack to attempt to gain access to the WordPress backend. This attack can be performed via the login page or the xmlrpc.php page. see the below. here our user name is correct but the password isn't correct so it gives us error 403 forbidden.

If the credentials is correct we can see this type.

                

         

        Exploiting a Vulnerable Plugin

 in this site plugins there are most of the plugins are vulnerable in many ways.

now how to exploit? let see.