Network Discovery


URLs format:

Posts : /index.php?p=22
Login : /wp-login/
Uploaded files : /wp-content/uploads/%year%/%month%/%filename%

Config file and database credentials


Wpscan knows the structure of a wordpress site and will make brute force to identify the pages, the posts, the users, the theme, the plugins.
Wordpress flaws are mainly due to non-updated plugins.

wpscan --url -e
--url : wordpress url
-e : enum pages, posts, users, theme, plugins, ...

Login bruteforce

wpscan --url  -P rockyou.txt -U admin

Privilege Elevation - Unix

Wordpress config file is:


Let find it:

find /var -name wp-config.php 2>/dev/null

This config file contains login/password used to connect to the blog database. By dumping the database, it's thus possible to get wordpress user's login and password hashes.