Skip to content

who909/WordPress-vs.-Kali

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits

README.md

README.md

 
 

User Enumeration.gif

User Enumeration.gif

 
 

User Enumeration.jpg

User Enumeration.jpg

 
 

User Enumeration2.jpg

User Enumeration2.jpg

 
 

User Enumeration3.jpg

User Enumeration3.jpg

 
 

User Enumeration4.jpg

User Enumeration4.jpg

 
 

XSS.gif

XSS.gif

 
 

XSSmed.gif

XSSmed.gif

 
 

hack1

hack1

 
 

xss1.jpg

xss1.jpg

 
 

xss2.jpg

xss2.jpg

 
 

xss3.jpg

xss3.jpg

 
 

xsscode.jpg

xsscode.jpg

 
 

xssmed1.jpg

xssmed1.jpg

 
 

xssmed2.jpg

xssmed2.jpg

 
 

xssmed3.jpg

xssmed3.jpg

 
 

xssmed4.jpg

xssmed4.jpg

 
 

xssmed5.jpg

xssmed5.jpg

 
 

Repository files navigation

Project 7 - WordPress Pentesting

Time spent: 10 hours spent in total

Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress

Pentesting Report

1. (Required) Wordpress < 5.1.1/ CVE-2019-9787: Cross-Site Request Forgery (CSRF)

  • Summary:

    • Vulnerability types: XSS
    • Tested in version: 4.0
    • Fixed in version: 5.1.1

  • GIF Walkthrough:

  • Steps to recreate: Login and enter a page

    Enter the script in the comment section

    Post the comment and enjoy

  • Affected source code:

2. (Required) User Enumeration

  • Summary:

    • Vulnerability types:User Enumeration
    • Tested in version:4.0
    • Fixed in version:

  • GIF Walkthrough:

  • Steps to recreate: Enter the login page.

    enter admin as username and a random password.

    If the user exists, WordPress word gives an error message for an incorrect password.

    If the user does not exist, WordPress word gives an error message for an invalid username.

3. (Required) XSS media

  • Summary: XSS media
    • Vulnerability types:XSS
    • Tested in version:4.0
    • Fixed in version: 5.1.2
  • GIF Walkthrough:

  • Steps to recreate:Enter the admin console, create or edit a page.

    click add media

    Choice an image and add the XSS script to the description. Then, change the link page to attachment page.

    Post and then view the page. click the image.

    Done

  • Affected source code:

Assets

List any additional assets, such as scripts or files

XSS cheatsheet(https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html/)

Resources

GIFs created with Screentogif.

Notes

Describe any challenges encountered while doing the work

  • Bitdefender and Microsoft antivirus was blocking payloads, even after disabling them.
  • I did not have permission to view plugins or access to PHPmyadmin database.

License

Copyright [2021] [Alejandro Bravo]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published