Posted on

WordPress enumeration with Metasploit

Hello aspiring Ethical Hackers. In this article, readers will learn how to perform WordPress enumeration using Metasploit. WordPress is one of the most popular CMS available and as of 2021, 39.5% percent of websites are powered by WordPress. Hence gauging the security of WordPress installation is always important.

Metasploit has a few modules that can be used to perform WordPress Enumeration. Let’s see a few of them. The first module we will see is the WordPress Scanner module that scans for installed themes, installed plugins, installed WordPress version and more information about target WordPress.

Let’s see how this Module works. Start Metasploit and load the WordPress scanner module. Then, type command “show options” to see the options we require for this module. We are testing this module on WordPress installed on Ubuntu 20.

After all the options are set and the module is executed,

the module successfully detected the target WordPress version as 6.0. It also detected plugins installed on the target WordPress along with their versions. The module will also try to enumerate users although it failed to detect any users here.

This module can be useful to find if there are any vulnerabilities on the WordPress target. For example, one of the plugins installed on this target wp_pie_register has an exploit module related to it.

Some of the vulnerabilities in WordPress require credentials for successful exploitation. Metasploit also has a WordPress login enumeration module that not only helps in user enumeration but also brute forcing their password.

Load the WordPress user enumeration exploit as shown below. Type command “show options” to see the options this module requires.

Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.

Validating usernames is a process where we check if a particular username is present on the target WordPress site. We can validate a single username or many usernames using a wordlist. For example, let’s use the wordlist “common.txt” as users file. We also want to set the STOP_ON_SUCCESS option to TRUE. This will stop the enumeration as soon as we get one valid username.

Let’s execute the module now.

The module found one valid username on the target. It’s “admin”. Since we have found one valid username on the target, lets try to find out the password for this user. For doing this, we need to set the options as shown below.

ENUMERATE_USERNAMES : FALSE

VALIDATE_USERS : FALSE

BRUTEFORCE : TRUE

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

wordpress enumeration

The module found one successful LOGIN using credentials “admin : admin”. See how to perform WordPress Enumeration with WPScan.

Posted on

WordPress Reverse Shell : Multiple Methods

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

SInce then, it grew out to be one of the most popular CMS around the world. It is used as blogging software, membership site and online store etc. WordPress is used by over 60 million websites.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress.

This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

1. Reverse Shell Through Vulnerable Plugins

One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 58,559 plugins. Sometimes these vulnerable plugins are the reason attackers get a reverse shell on the WordPress target.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload into the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.

Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.

Use check command to confirm if the target is indeed vulnerable.

After setting the credentials and executing the module, a meterpreter session on the target is gained.

Here’s another famous wordpress plugin that can be exploited.

2. Reverse Shell Through Editing WordPress Theme

WordPress Themes enhance the look of the WordPress websites. The content of these theme can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell. Here’s more about c99 web shell.

Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that is needed to be done is visiting that page.

With C99 shell on the target website, there are a host of options to lay with.

3. Reverse Shell Through Uploading A Malicious Plugin

Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. Github has many options of these WordPress malicious plugins. Let’s use one of them named malicious wordpress plugin that can be downloaded from here.

After navigating into the “malicious-wordpress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.

wordpress reverse shell

Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.

By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.

Upload this plugin into WordPress and activate it just like any other plugin.

This newly uploaded web shell can be accessed from two URLs given below

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php

In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.

4. Reverse Shell Through Metasploit Framework

Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known.

Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.

Set all the required options that includes credentials and execute the module.

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?

Posted on

WordPress hacking guide for beginners

Hello aspiring hackers. In this howto we will learn about hacking wordpress with Revslider plugin exploit. This howto is a direct sequel to our previous howto WordPress vulnerability assessment with WPscan, so I suggest you go through that how to first and look out for the Easter eggs. This howto is based on one of the vulnerabilities we found in our previous howto.

To those newbies, who don’t know what is revolution slider, it is a popular plugin used by many wordpress websites. Well, I am sure you have heard about Panama papers leak. Yeah, I’m talking about the leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. It has been identified that Mossack Fonseca was using a vulnerable version of WordPress revslider plugin which resulted in the hack. All versions of the plugin from 2.1.7 to 3.0.95 are vulnerable to the attack.

This exploit was made public last year but still there are many wordpress websites using the vulnerable plugin( as with the case of Mossack fonseca ). Now let us see how this exploit works in Metasploit. Start Metasploit and search for our exploit as shown below.

Load the exploit as shown below.

Set the required options as shown below.

Set the required payload. Here for illustration I am setting the famous meterpreter payload.

You can also check if your target is vulnerable by using “check” command as shown below.( But we already know our target is vulnerable).

You can execute the exploit by typing “exploit”. If all went well, you will get the meterpreter shell on victim system.

That was all about hacking wordpress with Revslider plugin exploit.

Posted on 2 Comments

Beginners guide to WPScan

Hello aspiring ethical hackers. In this blogpost, you will learn about WPScan, a tool used to perform WordPress vulnerability assessment. WordPress is one of most popular Content Management system (CMS) WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. Let’s se how it works. It is installed by default in Kali Linux and we are going to use the same for this tutorial. Now open a terminal and update our tool by typing command as shown below.

wpscan

To scan a WordPress website, all you have to give is the URL as shown below. For this blogpost, I am using a local installation of WordPress as target. Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. As you can see we have 13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a WordPress site is to exploit the plugins installed in the target as most of the WordPress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our WordPress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable.

wpscan

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next blogpost.

Another important aspect to find vulnerabilities in the WordPress is its theme. Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.