7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec

na Agarwal | InfoSec Write-ups

Open in app

Get unlimited access to all of Medium for less than $1/week. Become a member

Hacking the WordPress sites for fun and profit |

Part-1 [ Water ]
Krishna Agarwal · Follow
Published in InfoSec Write-ups
6 min read · Oct 5, 2022

Listen Share More

Hello folks, I am Krishna Agarwal (Kr1shna 4garwal) from India 🇮🇳. An ordinary bug
hunter and So called security researcher :)

Today is my Birthday, So I planned to celebrate it in different way so that’s why I’m writing
about some common vulnerabilities and misconfiguration that I have found in my bug
bounty journey in this writeup :) I hope you’ll learn something new from this series.
I have divided this writeup in two parts. the first one is Water and second is Fire.
This is the part-1 [Water] Of “Hacking the WordPress for fun and profit” series.

I will try to mention all the common wordpress misconfiguration and

vulnerabilities that i know in this series.

Hacking the WordPress sites for fun and profit

let’s Hack the WordPress for Fun and Profit :)

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 1/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

So, you all know about WordPress already and if you don’t know what is it then here
is the short intro of WordPress

0x01 — What is WordPress?

WordPress is a content management system (CMS) that allows you to host and build
websites. WordPress contains plugin architecture and a template system, so you can
customize any website to fit your business, blog, portfolio, or online store.
0x02 — Enumerate subdomains of target
In my previous writeup, I have Mentioned some methods to enumerate the
subdomains. You can Check it here .

0x03 — Detecting WordPress

First of all, we need to get know if our target is using WordPress or not, There are
many methods to detect WordPress. I have mentioned two best methods for doing
it.

0x02.1 — Via Wappalyzer Extension

For Chrome

For Firefox

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 2/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

Simple Usage Of Wappalyzer

0x02.2 — Via Nuclei

Nuclei is a free open-source yaml template based vulnerability scanner, In the

default nuclei-templates. there is a template named wordpress-detect.yaml which is
under the technologies folder of nuclei-templates. You can run this template on list
of your target to detect WordPress sites.

cat alive.txt | nuclei -t ~/nuclei-templates/technologies/wordpress-detect.yaml

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 3/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

0x04 — Lets begin the hack

After detecting the WordPress attack surface, We will divide this into Manual and
Automation approach…

This part will completely about manual approach, But you can also automate this.

0x05 — Bug 0x1 [Username Enumeration via REST API]

WordPress includes a REST API that can be used to list the information about the
registered users on a WordPress installation. The REST API exposed user data for all
users who had authored a post of a public post type. This can be consider as P4 as
per Bugcrowd's VRT [Enumeration -> Usernames -> Non-Bruteforce] but we can
increase this to P1, P2 by chaining the Bug 0x2 with it.

We can enumerate the Usernames from the following endpoint

https://domain.tld/wp-json/wp/v2/users

If the wp-json/wp/v2/users is forbidden (403) then you should try the following
bypasses:

/wp-json/wp/v2/users/n

/wp-json/?rest_route=/wp/v2/users/

/wp-json/?rest_route=/wp/v2/users/n

/?author=n

n means numbers like 1,2,3,4…

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 4/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

Hello dear Alex 😼

0x06 — Bug 0x2 [Admin panel Common Password]

Notice: Please check your target’s policy, don’t try this attack if Brute Forcing is out
of scope.

For getting access to admin panel of WordPress Site as admin, We need a Username
and a Password. We can Get the Username from above bug 0x1.

Now, for password we’ll bruteforce it with BurpSuite and hydra :)

0x06.1 — BurpSuite

1. Open Target WordPress site in your BurpSuite configured browser

2. append /wp-login.php to your target website’s url

3. enter any random credentials (admin:admin)

4. capture that request and send it to intruder

5. enter target username which you got from wp-json/wp/v2/users (log=kr1shna)

6. clear all positions and add value of pwd=§admin§

7. open Payloads tab, input your wordlist

8. Start attack

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 5/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

After attack!

(In the above Screenshot, My target has set rate limit protection on wp-login.php, So
that’s why I only input one Password because I already got password from Github
recon)

If your Password match, You’ll Get a 302 status code in burp suite.

0x06.2 — Hydra

Command: hydra domain.tld https-form-post “/wp-

login.php:log=^USER^&pwd=^PASS^&wp-submit=Log
In&testcookie=1:S=Location” -l kr1shna -P
/usr/share/wordlists/hack0x05.txt -f

hail hydra! 🤩

0x07 — Bug 0x3 [Configuration File Leak]

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 6/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

wp-config.php file contains information required by WordPress to connect to the

database such as the database name, database host, username and password.

Sometimes developers forget to hide this sensitive file from production server. So if
you are able to access wp-config.php file and it contains database name, host,
username and password then it is high severity finding.

https://domain.tld/wp-config.php

unfortunately, most of the time it is forbidden but you can try the same file in
different extensions.

For Example:

/wp-config,txt

/wp-config.zip

/wp-config.md

/wp-config.php_orig

/wp-config.bak

wp-config.txt

0x08 — Bug 0x4 [Debug logs Leak]

Sometimes Developers leave debugging ON in production server. So that, all the logs
of WordPress site is stored in debug.log file in /wp-content directory. This can leads

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 7/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

to Full Internal Path Disclosure and Sometimes it contains sensitive information.

You should always check for wp-content/debug.log

like https://domain.tld/wp-content/debug.log

wp-content/debug.log

0x09 — Bug 0x5 [Backup Files Leak]

There is a risk that developers took a backup of domain.tld but mistakenly stored it
on the production server; this might be a serious problem.

This backup file can be found anywhere.

You can call FFUF’s help this time. This is a fantastic tool created by Joohoi to fuzz
the web applications.

If our target is domain.tld then the backup file name will be domain.* (rar, tar.gz,
sql.tar, tar.bzip2, sql.bz2, 7z, tar, tar.bz2, sql.7z, bak, etc)

First of all, we need all the extensions saved in a file. You can use my file :)

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 8/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

And then start FUZZING with FFUF

Command: ffuf -u https://domain.tld/domain.FUZZ -w hack.txt -o ext-

fuzz.txt -c

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 9/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

No bugs :( Sed Lyf

I think this is enough for this Part, I will continue this series in 2023 if you got some
knowledge from this part. else, everything is fine ;)

If I missed something in this write-up, then please DM me or drop a comment. I’ll add it
with your name :)
https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 10/19
7/1/23, 9:41 AM Hacking the WordPress sites for fun and profit | Part-1 [ Water ] | by Krishna Agarwal | InfoSec Write-ups

Takeaway: “Don’t assume that you are the only one receiving several duplicates and
N/A. Everybody encounters this. Don’t give up; it is only a phase of the process.”

Apologies for any grammatical mistakes 🙏.

Special thanks to @Parag_Bagul for proof reading.

DM are always open for questions, help, Collaboration, and Suggestions :)

Be my Friend:

Instagram — https://www.instagram.com/krishnaAgarwal_in

LinkedIn — https://www.linkedin.com/in/kr1shna4garwal

GitHub: https://github.com/kr1shna4garwal/

Twitter — https://twitter.com/kr1shna4garwal

Thanks for wasting your valuable time in reading my write-ups ;)

If you found this valuable and have wasted your 10 minutes in reading this and
learned something, then give some claps👏 and drop a comment, Hit the Follow
button for future write-ups and share this with your infosec friends and community.

we will meet in Part-2 Of this series

keep Hacking, keep Learning!

Signing Off !

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up
with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4
Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!

Bug Bounty Bug Bounty Tips Vapt Hacker Red Team

https://infosecwriteups.com/hacking-the-wordpress-sites-for-fun-and-profit-part-1-water-7ba474ced0f8 11/19