POST CATEGORY : Website Hacking

Beginners Guide to Burpsuite Payloads (Part 2)

Hello Friends!!  In our previous article part1 we had discussed how to perform brute force attack on any web application server for making unauthorized login into it using some Payload of Burpsuite. In part 2 articles you will learn more about brute force attack with help of remaining BurpSuite payloads that might be helpful in other situation.

Let’s Start!!

Character Substitution

This type of payload allows to configure a list of strings and apply various character substitutions to each item. This type of payload is useful in password guessing attacks and generating common variations on dictionary words.

The UI of this payload allows you to configure a number of character substitutions. For each item, it will generate a number of payloads, which include all permutations of substituted characters according to the defined substitutions.

 For example, the default substitution rules states (which include e > 4 and r > 5), the item “Raj Chandel” will generate the following payloads:

raj chandel

5aj chandel

raj chand4l

5aj chand4l

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Here we can add a dictionary by clicking on Load option or we can manually add Strings by clicking on the Add option.

Now we have substituted 4>a , 5>s , 9>o as per our requirements to match the password and we have added the input as p445w9rd using the Add option which will substitute the character’s according to the Defined substitution as shown in the image.

Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

 And to confirm the password matched, we will give the matched password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the character substitution payload attack.

Copy Other Payload

This is a type of payload which can copy the value of the current payload to another payload position. It is very useful for attack types that have multiple payload sets such as cluster bomb, pitch fork and battering ram. This payload type can be useful in various situations, for example:

  • Suppose we are using two different parameters and we want to attack at two different fields, therefore we can set different “payload types” at multiple “payload sets” inside burpsuite payload configuration as per our attack type as it allows us to simply use the same dictionary for both payload that we have set at particular position by giving the position of the payload we want to copy. It will execute the complete payload which is set at a specific position.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Now click on payloads option after selecting payload position, here we need to add a dictionary which will use for both payload set. Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field.

Now  to attack at the password field we will select Payload type as Copy other payload for Payload Set ‘2’ because we want to attack the same payload type at payload set 2 which will copy the dictionary given for payload set 1 to attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, you can give the matched password in the BWAPP LAB login page.

Username Generator

This type of payload allows you to set up a list of names or email addresses, and can produce usernames from given specific schemes.

For example, Let’s take a username “raj chandel” which can give results in up to 115 possible usernames, some combination are as follows :

rajchandel

raj.chandel

chandelraj

chandel.raj

chandel

raj

rajc

etc…

This type of payload is useful to target at a specific user, where you do not know the username or email address scheme of the user which is being used in a specific application.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as “Username Generator” for Payload Set ‘1’ which will attack at the username field, we have a given input string “raj chandel” by using the Add option as shown in the image, which will use different permutations on that input string given to match the correct username.

Now to attack at the password field we will select Payload type as Simple list for Payload Set ‘2’ for which we have added a dictionary manually created by us by using the Load option.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Dates

This type of payload generates date payloads within a given range and in a specified format. This type of payload is can be used in data mining or brute forcing.

For example it can be used to guess a user’s birth date, wedding date, anniversary date etc which can be used to brute force the security questions for an application or web applications, or it can used to brute force the password of user’s, where user’s uses dates as their password.

The following options are available in this type of payload:

  • From – This is said as the first date which will be generated.
  • To – This is said as the last date which will be generated.
  • Step – This is said as an increase between sequential dates, days, weeks, months or years. It should be a positive value.
  • Format – This is said as the format in which dates can be represented. we can select from different predefined date formats, or we can make our own custom date format as per our requirement. Some example of the date format are given below:
E Mon
EEEE   Monday
D 2
dd 02
M 9
MM 09

Repeat the same to intercept the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field where we have given a dictionary as an input string as shown in given below image.

Now to attack at the password field we will select Payload type as Dates for Payload Set ‘2’ because we are guessing the user might have its birth date or any other date as a password.

After this we have set the inputs for Payload set ‘2’ in the fields given in the payload options such as FROM, TO, STEP and FORMAT as shown in the image.

Now Select Start Attack in the Intruder menu for brute force attack.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

Burpsuite Encoder & Decoder Tutorial

Burpsuite Decoder can be said as a tool which is used for transforming encoded data into its real form, or for transforming raw data into various encoded and hashed forms. This tool is capable of recognizing several encoding formats using defined techniques. Encoding is the process of putting a sequence of character’s (letters, numbers, punctuation, and symbols) into a specialized format which is used for efficient transmission or storage. Decoding is the opposite process of encoding the conversion of an encoded format back into the original format. Encoding and decoding can be used in data communications, networking, and storage.

Today we are discussing about the Decoder Option of ‘Burp Suite’. Burp Suite is a tool which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security.

There are 9 types of decoder format in Burp Suite:

  • Plain text
  • URL
  • HTML
  • Base64
  • ASCII Hex
  • Hex
  • Octal
  • Binary
  • Gzip

URL Encoder & Decoder

When you will explore decoder option in burp suite you will observe two section left and right. The left section is further divided in two and three section for encode and decode option respectively. The right section contains function tab for encode and decode option. And if you will observe given below image you can notice there is two radio buttons for selecting type of content you want to encode or decode.

Enable the radio button for text option and then we can give any input in the box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select URL field from given list as shown in the image. We will get the encoded result in URL format in the second box as shown in the image.

 We can directly decode the Encoded URL Text by clicking on the Decoded as option and selecting URL field from given list of options as shown in the image.  This will decode the encoded URL text into plain text in the third box as shown in the image.

HTML Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select HTML field as shown in the image. We will get the encoded result in HTML format in the second box as shown in the image.

We can directly decode the Encoded HTML Text by clicking on the Decoded as option and selecting HTML field as shown in the image.  This will decode the encoded HTML text into plain text in the third box as shown in the image.

Base64 Encoder & Decoder

Repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Base64 field as shown in the image. We will get the encoded result in Base64 format in the second box as shown in the image.

We can directly decode the Encoded Base64 Text by clicking on the Decoded as option and selecting Base64 field as shown in the image.  This will decode the encoded Base64 text into plain text in the third box as shown in the image.

ASCII Hex Encoder & Decoder

Again repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select ASCII Hex field as shown in the image. We will get the encoded result in ASCII Hex format in the second box as shown in the image.

We can directly decode the Encoded ASCII Hex Text by clicking on the Decoded as option and selecting ASCII Hex field as shown in the image.  This will decode the encoded ASCII Hex text into plain text in the third box as shown in the image.

Hex Encoder & Decoder

Repeat same as above and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Hex option as shown in the image. We will get the encoded result in Hex format in the second box as shown in the image.

We can directly decode the Encoded Hex Text by clicking on the Decoded as option and selecting Hex field as shown in the image.  This will decode the encoded Hex text into plain text in the third box as shown in the image.

Octal Encoder & Decoder

Repeat again and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Octal field as shown in the image. We will get the encoded result in Octal format in the second box as shown in the image.

We can directly decode the Encoded Octal Text by clicking on the Decoded as option and selecting Octal field as shown in the image.  This will decode the encoded Octal text into plain text in the third box as shown in the image.

Binary Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Binary field as shown in the image. We will get the encoded result in Binary format in the second box as shown in the image.

We can directly decode the Encoded Binary Text by clicking on the Decoded as option and selecting Binary field as shown in the image.  This will decode the encoded Binary text into plain text in the third box as shown in the image.

Gzip Encoder & Decoder

Give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Gzip field as shown in the image. We will get the encoded result in Gzip format in the second box as shown in the image.

We can directly decode the Encoded Gzip Text by clicking on the Decoded as option and selecting Gzip field as shown in the image.  This will decode the encoded Gzip text into plain text in the third box as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

Beginners Guide to Burpsuite Payloads (Part 1)

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.  

  • Simple list
  • Runtime File
  • Case Modification
  • Numbers
  • Brute Forcer
  • Character substitution
  • Custom iterator
  • Recursive grep
  • Illegal Unicode
  • Character blocks
  • Dates
  • Brute Forcer
  • Null Payloads
  • Character frober
  • Bit Flipper
  • Username generator
  • ECB block shuffler
  • Extension Generated
  • Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the first file to be selected). Then click on Load button and select your dictionary file for username.

Now select 2 in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File

This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected  password that means we will need one dictionary file  for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

  • No change – The item is used without being modified.
  • To lower case – All letters in the item are converted to lower case.
  • To upper case – All letters in the item are converted to upper case.
  • To Proper name – The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
  • To Proper Name – The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item “Raj Chandel” will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected  password that means we will need one dictionary file  for password.

Then select the “Payload” type as Case Modification, we have selected the No change and to lower case fields in the “payload options” of the case modification as shown in the image. We have added a default Password dictionary from the Add from list field in the payload options. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

  • Number range:
  • Type – the type options describes that the numbers should be generated sequentially or randomly.
  • From – If numbers are being generated sequentially, this is the value of the first number that will be generated.
  • To – If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.
  • Step – the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.
  • How many – This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated

First, we intercept the request of the login page in the Bwapp Lab, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected  password that means we will need one dictionary file  for password.

Then select the Payload type as Numbers where we have set the number range from 100 to 150 and we have set the step as 1 as shown in the image, select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

As the password matches with a number which is between the given number range. And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack.

Brute Forcer

This type of payload generates a payload of specified lengths that contain all permutations of list of characters in the given string.

The following options are available:

  • Character set – The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
  • Min length – The length of the shortest payload.
  • Max length – The length of the longest payload.

First, we intercept the request of the login page in the Bwapp LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected  password that means we will need one dictionary file  for password.

Then select the “Payload type” as Brute Forcer where we can give any kind of input into the “character set” as shown in the figure , as we have given 213 and we have set the Min length as 3 and Max length as 3 as shown in the image. We can manually give the Min length and Max length as per your need. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Great!! We have used Top 5 payloads of Burpsuite for login page brute force attack successfully.

Note: In this articles (part-1) we will be performing top 5 payload types and the rest of the payload types will be discussed in the (part-2) of this article.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology.

WordPress Penetration Testing using WPScan & Metasploit

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPScan and Metasploit

Attacker: Kali Linux

Target: WordPress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

Detect a version of currently installed WordPress.

-Can detect sensitive files like readme, robots.txt, database replacing files, etc.

-Detect enabled features on currently installed WordPress.

-Enumerate theme version and name.

-Detect installed plugins and can tell you if it is outdated or not.

-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

Now simply type in terminal to run the script:

Using default Option we will are going to penetrate our wordpress website:

Scanning wordpress version of target website

Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating wordpress Theme

A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:

Enumerating wordpress vulnerable Theme

To scan installed vulnerable theme of wordpress website type following command:

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating wordpress Plugins

Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

Finally, after few seconds, you will get result of installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of installed plug-in are detected. As well as it also describe last update and latest version of that plug-in.

Enumerating wordpress vulnerable Plugins

Now type following command to scan vulnerable plug-in of any wordpress website:

After few seconds, you will get result of installed vulnerable plug-in of website. From given image you can observe that the red color indicates vulnerable plug-ins as well as link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:

use exploit/unix/webapp/wp_reflexgallery_file_upload

msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101

msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/

msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.

meterpreter> sysinfo

Enumerating wordpress Usernames

In order to enumerate user names of wordpress website execute following command:

After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:

ID 1: admin

ID2: ignite

ID: demo

Enumerate ALL with single command

Whatever we have scanned above can be easily enumerate at once by executing given below command:

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website

–e ap: enumerate all plugins of targeted website

–e u: enumerate all usernames of targetd website

Brute force attack using Wpscan

With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.

It will start matching the valid combination of username and password for login and then dump the result, from given image you can see it found login credential of targeted website as admin:password.

Generate PHP backdoor in wordpress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that you will found some php code in middle frame for 404 temperate. Erase the entire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die();  further we will past it inside wordpress template as a new theme.

Now past above copied PHP text *<?php……….die();   here as new theme under selected  404.php template.

On other hand Load metasploit framework and start multi/handler

When you will execute your uploaded theme 404.php in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

Here form screenshot you can see through meterpreter we have access victim’s shell.

meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

AUTHOR: AkshayBhardwaj is a passionate Hacker, Information Security Enthusiast and Researcher | Sketch Artist |Technical writer.