All code and information for educational purposes only
Today I will show you how you can gather information about WordPress by loading and analyzing a single page; and then, based on this knowledge we will create script to automate the entire process.
Why analyze only one page? Why not use existing automated solutions like nikto or WPScan?
Those are great tools with plenty of functionality, but they create a lot of noise because they require multiple requests for targeting the site. That may be a problem, because if you need to perform reconnaissance on a WordPress site and remain undetected, your behavior must be the same as a regular user trying to read a blog on the WordPress site.
Discover wordpress version
First, let’s try to find the WordPress version of a target. You can do this by going to the WordPress main site, clicking “View Page Source” in a Chrome browser, and finding the meta tag named “generator.”
You can see wordpress version inside content attribute.
Let’s get wordpress version with ruby:
require'nokogiri'require'net/http'require'open-uri'url='http://www.example.com'# Put url of your site heredoc=Nokogiri::HTML(open(url).read)doc.xpath("//meta[@name='generator']/@content").eachdo|attr|putsattr.valueend
To remove the meta=“generator” tag, add this line to your functions.php:
Discover xml-rpc protocol location
The XML-RPC is an API that enables developers to create WordPress “apps” (like clients, plugins and themes), which allow you to make remote HTTP requests to your WordPress site (link to full article).
You may use a brute-force password via XML-RPC. I described this process and created script for this purpose; read full article.
To find the location of XML-RPC, look for two link tags with attributes “pingback” and “EditURI” accordingly:
Using REST API, we can see all the WordPress users, and then, using a brute-force attack via XML-RPC, we can find out the password.
The combination of two enabled APIs (XML-RPC and REST API) may be very dangerous, so you should disable XML-RPC if it’s not in use.
Of course, we may gather even more info by additional requests; for example, we may download and analyze “/readme.html” to get the version of WordPress used.
We can also get more information about the plugins and themes by analyzing downloaded JS files and CSS files, as well as by analyzing “http” headers.
But the purpose of this post is to show that you can get a lot of information about WordPress from just a single-page analysis.
Thank you for reading my post. Soon, I plan to create script that will automate this entire process, and you will be able to download and use it.