Don’t tell anyone: Here’s a Way to Get Your First WordPress bounty

Hello everyone, in this post, I’ll be showing you how an attacker can compromise a website utilizing the official WordPress Content Management System (WordPress CMS) in under 10 mins and possibly end up ruining your customer and or website.

To start with, we might first need to explain a few terms:

Definition of Terms

• Wordpress: A content management system (CMS) that allows you to host and build websites.
• Wp-Login: The default WordPress back-end login page for the admins and can be accessed by adding either /login/, /admin/, or /wp-login.php at the end of your site’s URL.

An example of Wp Login page: https://foo.com/wp-login.php

• Site’s URL: A website’s unified resource locator(URL) or in simple term the name you enter in the browser to access a given site and usually includes the protocol (ex. HTTP, HTTPS), the domain name (or IP address), and additional path information (folder/file).

URL example without path: www.foo.com
URL example v1 without path: http://blog.foo.com
URL example v2 with path: https://foo.com/path-to-file

• WP-Admin: This is the WordPress admin dashboard or simply the control panel for an entire WordPress website.
• install.php: WordPress installer file or simply the file used when first installing WordPress. Usually asks you stuffs like the name of your new website, and credentials to manage the website.
• WordPress Plugins: If you come across this, just know that they are just simply PHP scripts that extends functionality or add new features to a WordPress website(s).

Alright, enough with the definitions, let’s be technical now.

This is what we will be attempting to do in the next five minutes:

1. Find our target & identifying the URL path to the site’s install.php file.
2. Checking if site can be compromised.
3. Takeover the site and or report the vulnerability.

Step 1: Finding Our Target

Before we start, we are going to need two tools:

1. Use a VPN, although it’s not a must if you don’t love your private IP.

2. An extension or tool to utilize in figuring out if our target site is using WordPress. (I use Wappalyzer. You can use https://www.isitwp.com/ for the same purpose)

3. A tool to utilize for figuring out the path to our install.php file. (You can choose to use waybackurls by Tom Hudson, or just add /wp-admin/install.php at the end of your target’s URL site.

e.g https://foo.com/wp-admin/install.php

After you have your reconnaissance gear ready, it’s time to find a worth it target, and check if they’ve got WordPress using wappalyser or isitwp and not them down one after the other (you can also choose to challenge your mind by opening 50+ tabs with potential targets rather than noting them on a notepad).

Step 2: Is this site vulnerable?

If you see an image similar to the one below on your target’s site URL while on install.php file path:

 https://target-site.com/wp-admin/install.php

Sample image indicating the site is off the target

Move on to the next target and see if you can see a register button on the new target. If you find one, congrats, you can now move on to step 3.

Step 3: Owning the Website

It’s time to now own our target. I hope you’ve followed step one, i.e finding your target, finding the path to the install.php file and now final step in step 2. But wait,

Disclaimer: What you’re about to do is at your own risk. Information used on this post is totally for education purposes only and or the writer assumes you have proper authorization on the site you’re trying to access.

If you wish to continue reading, smile and shout YES.

Alright,

Back to our target. Add below path to your target’s URL:

wp-admin/install.php

The new target’s URL should now look similar to the below example:

https://foo.com/wp-admin/install.php

After adding your path to the install.php file, press enter. You should now see a window like the one below:

https://foo.com/wp-admin/install.php

Complete the setup by choosing your mother tongue :) and press on continue, enter your email(careful on the email you choose to get the confirmation email), and change the password after confirmation.

Once that done is done, head over to the target’s main domain by eliminating the initial path, for example:

From https://foo.com/wp-admin/install.php or any path you're seeing.

To:

https://foo.com/wp-login.php

The above-added path ‘wp-login.php’ should now give you full privilege on your target’s site. Refer to wp-login in the definitions section to find other paths to the admin dashboard.

After adding the new path wp-login.php file path to your target’s URL (https://target-site.com/wp-login.php), log in with your registered email.

That’s it guys! We’re in! In within the dashboard!! For a moment we now own them!

Wait a minute, we are the good guys, let’s head over to the settings section, and enable site maintenance mode, otherwise, if you want to be a bit savage go to the Pages section within the admin dashboard, edit the homepage and add an alert image.

To make it hard for them to know path to the admin dashboard (assuming they know nothing about finding and changing admin URLs), head over to the plugins section > add new within the admin dashboard, and search for Change wp-admin login. You should be able to see a few choices. Choose one that interest you e.g WPS Hide Login, and change the default admin name so that the new admin URL looks something like:

https://foo.com/conquerer

That is all for now. I hope this info helped you somehow.

Oops! I hope you remembered to record as you attempt to log in as an attacker to the target’s site. A Proof of Concept (POC) demo is worth it when presenting your findings.