Automate WordPress recon for Bug Bounty | WordPress:Cheat sheet
WordPress is a fairly large and complex product, with its own pros and cons, so there are a sufficient number of tools that allow you to automate routine tasks.
Nmap:
* Version and theme detection using http-wordpress-info script
nmap -sV --script http-wordpress-info
* Password selection by dictionaries
nmap -p80 --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwords.txt' example.com
Metasploit:
* Module for determining the version
auxiliary/scanner/http/wordpress_scanner
* Module for defining username
auxiliary/scanner/http/wordpress_login_enum
WPScan:
* Listing the installed plugins:
wpscan --url www.exmple.com --enumerate p
;* Enumeration of the installed themes
wpscan --url www.exmple.com --enumerate t
:;* Transfer set timthumbs:
wpscan --url www.example.com --enumerate tt
;* Defining username
wpscan --url www.example.com --enumerate u
:;* Password guessing dictionary for user admin:
wpscan --url www.example.com --wordlist wordlist.txt --username admin
;* Selection of the password using the username ligament / password with the number of streams of 50:
wpscan --url www.example.com --wordlist wordlist.txt --threads 50
Identifying installed components
Now let’s collect information about installed plugins and themes, whether they are activated or not. First of all, such information can be extracted from the source code of an HTML page, for example, by JavaScript links, from comments and resources such as CSS that are loaded onto the page.
<script src=”http://example.com/wp-content/themes/twentyeleven/js/html5.js" type=”text/javascript”></script>
Further, HTTP headers such as X-Powered-By
can indicate the presence of a plugin (for example, the W3 Total Cache plugin).
#HappyHacking #StaySafe