**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_
**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: ****Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\*\*\*\*
In **wp-config.php** you can find the root password of the database.
Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
*`license.txt` contains useful information such as the version WordPress installed.
*`wp-activate.php` is used for the email activation process when setting up a new WordPress site.
* Login folders \(may be renamed to hide it\):
*`/wp-admin/login.php`
*`/wp-admin/wp-login.php`
*`/login.php`
*`/wp-login.php`
*`xmlrpc.php` is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress [REST API](https://developer.wordpress.org/rest-api/reference).
* The `wp-content` folder is the main directory where plugins and themes are stored.
*`wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
*`wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
#### Post exploitation
* The `wp-config.php` file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
### Users Permissions
* **Administrator**
* **Editor**: Publish and manages his and others posts
* **Author**: Publish and manage his own posts
* **Contributor**: Write and manage his posts but cannot publish them
* **Subscriber**: Browser posts and edit their profile
## **Passive Enumeration**
### **Get WordPress version**
Check if you can find the files `/license.txt` or `/readme.html`
Inside the **source code** of the page \(example from [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)\):
You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to **actively Brute Force a list of Plugins and Themes** \(hopefully for us there are automated tools that contains this lists\).
_**wp.getUserBlogs**_, _**wp.getCategories**_ or _**metaWeblog.getUsersBlogs**_ are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
```markup
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
```
The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
If you can find the method _**pingback.ping**_ inside the list you can make the Wordpress send an arbitrary request to any host/port.
This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** \(so a **DDoS** is caused in that location\) or you can use it to make **Wordpress** lo **scan** some internal **network** \(you can indicate any port\).
If you get **faultCode** with ****a value **greater** then **0** \(17\), it means the port is open.
Take a look to the use of **`system.multicall`**in the previous section to learn how to abuse this method to cause DDoS.
### wp-cron.php DoS
This file usually exists under the root of the Wordpress site: `/wp-cron.php`
When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.
Also, by default, the `wp-cron.php` is called on every page load \(anytime a client requests any Wordpress page\), which on high-traffic sites can cause problems \(DoS\).
It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval \(without causing issues\).
Using the correct credentials you can upload a file. In the response the path will appears \([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982)\)
Try to access _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ and the Worpress site may make a request to you.
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua --enumerate --url http://www.domain.com --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"
#### **Modifying a php from the theme used \(admin credentials needed\)**
Appearance → Editor → 404 Template \(at the right\)
Change the content for a php shell:
Search in internet how can you access that updated page. In thi case you have to access here: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
