Wordpress

• Launched in 2003, Is an open-source CMS that can be used for multiple purposes.

• Written in PHP, usually runs on Apache with MySQL.

• WordPress offers over 50,000 plugins and over 4,100 GPL-licensed themes

• 317 separate versions of WordPress have been released since its initial launch

• Roughly 661 new WordPress websites are built every day

• WordPress blogs are written in over 120 languages

• A study showed that roughly 8% of WordPress hacks happen due to weak passwords, while 60% were due to an outdated WordPress version

• According to WPScan, out of nearly 4,000 known vulnerabilities, 54% are from plugins, 31.5% are from WordPress core, and 14.5% are from WordPress themes.

• Some major brands that use WordPress include The New York Times, eBay, Sony, Forbes, Disney, Facebook, Mercedes-Benz, and many more

Footprinting

A quick way to identify a WordPress site is by browsing to the /robots.txt file. A typical robots.txt on a WordPress installation may look like:

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

The /wp-admin directory will redirect us to the wp-login.php page. This is the login portal to the WordPress instance's back-end.

WordPress stores its plugins in the wp-content/plugins directory. This folder is helpful to enumerate vulnerable plugins. Themes are stored in the wp-content/themes directory. These files should be carefully enumerated as they may lead to RCE.

Another way is to do cURL and grep for wordpress which also gives us the version number which we should note:

Users

There are five types of users on a standard WordPress installation.

1. Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.

2. Editor: An editor can publish and manage posts, including the posts of other users.

3. Author: They can publish and manage their own posts.

4. Contributor: These users can write and manage their own posts but cannot publish them.

5. Subscriber: These are standard users who can browse posts and edit their profiles.

Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

Enumeration

Software and Versions

Browsing the site and perusing the page source will give us hints to the theme in use, plugins installed, and even usernames if author names are published with posts.

Looking at the page source, we can see that the Business Gravity theme is in use. We can go further and attempt to fingerprint the theme version number and look for any known vulnerabilities that affect it.

Next, let's take a look at which plugins we can uncover.

From the output above, we know that the Contact Form 7 and mail-masta plugins are installed. The next step would be enumerating the versions.

Browsing to http://blog.inlanefreight.local/wp-content/plugins/mail-masta/ shows us that directory listing is enabled and that a readme.txt file is present. These files are very often helpful in fingerprinting version numbers. From the readme, it appears that version 1.0.0 of the plugin is installed, which suffers from a Local File Inclusion vulnerability that was published in August of 2021.

Let's dig around a bit more. Checking the page source of another page, we can see that the wpDiscuz plugin is installed, and it appears to be version 7.0.4

A quick search for this plugin version shows this unauthenticated remote code execution vulnerability from June of 2021. We'll note this down and move on. It is important at this stage to not jump ahead of ourselves and start exploiting the first possible flaw we see, as there are many other potential vulnerabilities and misconfigurations possible in WordPress that we don't want to miss.

Users

Valid username wrong password:

Invalid username:

Let's recap. At this stage, we have gathered the following data points:

• The site appears to be running WordPress core version 5.8

• The installed theme is Business Gravity

• The following plugins are in use: Contact Form 7, mail-masta, wpDiscuz

• The wpDiscuz version appears to be 7.0.4, which suffers from an unauthenticated remote code execution vulnerability

• The mail-masta version seems to be 1.0.0, which suffers from a Local File Inclusion vulnerability

• The WordPress site is vulnerable to user enumeration, and the user admin is confirmed to be a valid user

Automated

Now that we manually got some information, let's do a quick automated enumeration.

WPScan

WPScan is also able to pull in vulnerability information from external sources. We can obtain an API token from WPVulnDB, which is used by WPScan to scan for PoC and reports. The free plan allows up to 75 requests per day. To use the WPVulnDB database, just create an account and copy the API token from the users page. This token can then be supplied to wpscan using the --api-token parameter.

The --enumerate flag is used to enumerate various components of the WordPress application, such as plugins, themes, and users. By default, WPScan enumerates vulnerable plugins, themes, users, media, and backups. However, specific arguments can be supplied to restrict enumeration to specific components. For example, all plugins can be enumerated using the arguments --enumerate ap.

The default number of threads used is 5. However, this value can be changed using the -t flag.

This scan helped us confirm some of the things we uncovered from manual enumeration (WordPress core version 5.8 and directory listing enabled), showed us that the theme that we identified was not exactly correct (Transport Gravity is in use which is a child theme of Business Gravity), uncovered another username (john), and showed that automated enumeration on its own is often not enough (missed the wpDiscuz and Contact Form 7 plugins). WPScan provides information about known vulnerabilities. The report output also contains URLs to PoCs, which would allow us to exploit these vulnerabilities.

From the data we gathered manually and using WPScan, we now know the following:

• The site is running WordPress core version 5.8, which does suffer from some vulnerabilities that do not seem interesting at this point

• The installed theme is Transport Gravity

• The following plugins are in use: Contact Form 7, mail-masta, wpDiscuz

• The wpDiscuz version is 7.0.4, which suffers from an unauthenticated remote code execution vulnerability

• The mail-masta version is 1.0.0, which suffers from a Local File Inclusion vulnerability as well as SQL injection

• The WordPress site is vulnerable to user enumeration, and the users admin and john are confirmed to be valid users

• Directory listing is enabled throughout the site, which may lead to sensitive data exposure

• XML-RPC is enabled, which can be leveraged to perform a password brute-forcing attack against the login page using WPScan, Metasploit, etc.

Attacking Wordpress

Login Bruteforce

WPScan can be used to brute force usernames and passwords. The scan report in the previous section returned two users registered on the website (admin and john). The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it’s faster.

Code Execution

With administrative access to WordPress, we can modify the PHP source code to execute system commands. Log in to WordPress with the credentials for the john user, which will redirect us to the admin panel. Click on Appearance on the side panel and select Theme Editor. This page will let us edit the PHP source code directly. An inactive theme can be selected to avoid corrupting the primary theme. We already know that the active theme is Transport Gravity. An alternate theme such as Twenty Nineteen can be chosen instead.

Click on Select after selecting the theme, and we can edit an uncommon page such as 404.php to add a web shell.

Click on Update File at the bottom to save. We know that WordPress themes are located at /wp-content/themes/<theme name>. We can interact with the web shell via the browser or using cURL. As always, we can then utilize this access to gain an interactive reverse shell and begin exploring the target.

Using Metasploit

The wp_admin_shell_upload module from Metasploit can be used to upload a shell and execute it automatically.

The module uploads a malicious plugin and then uses it to execute a PHP Meterpreter shell. We first need to set the necessary options.

In the above example, the Metasploit module uploaded the wCoUuUPfIO.php file to the /wp-content/plugins directory. Many Metasploit modules (and other tools) attempt to clean up after themselves, but some fail. During an assessment, we would want to make every attempt to clean up this artifact from the client system and, regardless of whether we were able to remove it or not, we should list this artifact in our report appendices. At the very least, our report should have an appendix section that lists the following information

• Exploited systems (hostname/IP and method of exploitation)

• Compromised users (account name, method of compromise, account type (local or domain))

• Artifacts created on systems

• Changes (such as adding a local admin user or modifying group membership)

Using Known Vulnerabilities

Over the years, WordPress core has suffered from its fair share of vulnerabilities, but the vast majority of them can be found in plugins.

At the time of writing these notes, the WPScan Statistics page shows there are 57,568 vulnerabilities in the WPScan database. Broken down as: 1% WP Core, 95% Plugins, 4% Themes.

: We can use the waybackurls tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw.

Vulnerable Plugins - mail-masta

The plugin mail-masta is no longer supported but has had over 2,300 downloads over the years. It's not outside the realm of possibility that we could run into this plugin during an assessment, likely installed once upon a time and forgotten. Since 2016 it has suffered an unauthenticated SQL injection and a Local File Inclusion.

Let's take a look at the vulnerable code for the mail-masta plugin.

As we can see, the pl parameter allows us to include a file without any type of input validation or sanitization. Using this, we can include arbitrary files on the webserver. Let's exploit this to retrieve the contents of the /etc/passwd file using cURL.

Vulnerable Plugins - wpDiscuz

wpDiscuz is a WordPress plugin for enhanced commenting on page posts. At the time of writing, the plugin had over 3.6 million downloads and over 80,000 active installations, making it an extremely popular plugin that we have a very good chance of encountering during an assessment. Based on the version number (7.0.4), this exploit has a pretty good shot of getting us command execution.

The crux of the vulnerability is a file upload bypass. wpDiscuz is intended only to allow image attachments. The file mime type functions could be bypassed, allowing an unauthenticated attacker to upload a malicious PHP file and gain remote code execution. More on the mime type detection functions bypass can be found here.

The exploit script takes two parameters: -u the URL and -p the path to a valid post.

The exploit as written may fail, but we can use cURL to execute commands using the uploaded web shell. We just need to append ?cmd= after the .php extension to run commands which we can see in the exploit script.

In this example, we would want to make sure to clean up the uthsdkbywoxeebg-1629904090.8191.php file and once again list it as a testing artifact in the appendices of our report.