Automate WordPress recon for Bug Bounty | WordPress:Cheat sheet

WordPress is a fairly large and complex product, with its own pros and cons, so there are a sufficient number of tools that allow you to automate routine tasks.

Nmap:

* Version and theme detection using http-wordpress-info script

nmap -sV --script http-wordpress-info

* Password selection by dictionaries

nmap -p80 --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwords.txt' example.com

Metasploit:

* Module for determining the version

auxiliary/scanner/http/wordpress_scanner

* Module for defining username

auxiliary/scanner/http/wordpress_login_enum

WPScan:

* Listing the installed plugins:

wpscan --url www.exmple.com --enumerate p;

* Enumeration of the installed themes

wpscan --url www.exmple.com --enumerate t:;

* Transfer set timthumbs:

wpscan --url www.example.com --enumerate tt;

* Defining username

wpscan --url www.example.com --enumerate u:;

* Password guessing dictionary for user admin:

wpscan --url www.example.com --wordlist wordlist.txt --username admin;

* Selection of the password using the username ligament / password with the number of streams of 50:

wpscan --url www.example.com --wordlist wordlist.txt --threads 50

Identifying installed components

Now let’s collect information about installed plugins and themes, whether they are activated or not. First of all, such information can be extracted from the source code of an HTML page, for example, by JavaScript links, from comments and resources such as CSS that are loaded onto the page.

<script src=”http://example.com/wp-content/themes/twentyeleven/js/html5.js" type=”text/javascript”></script>

Further, HTTP headers such as X-Powered-Bycan indicate the presence of a plugin (for example, the W3 Total Cache plugin).

#HappyHacking #StaySafe