Page 1
$ pwd
/home/espreto
$ mkdir conferences/nullbyte && cd $_
$ cat > title.txt
^C
$ clear
Page 2
$ whoami
espreto
$ cat me.txt
$ clear
Page 3
$ cat talk.txt
$ clear
Page 4
$ irb - -simple-prompt
>> def talk(data)
>> …snip…
>> talk(“wp_intro”)
Page 5
>> talk(“plugins_the_dark_side”)
Page 6
>> talk(“plugins_the_dark_side”)
Commons Vulnerabilities
Upload Vulnerability Mechanism.
Cross-Site Scripting vulnerability (XSS).
File Download Vulnerability.
Cross-Request-Forgery Vulnerability (CSRF).
SQL Injection Vulnerability (SQL Injection).
Page 7
>> talk(“plugins_the_dark_side”)
https://wpvulndb.com/plugins
Page 8
>> talk(“why_metasploit”)
Page 9
>> talk(“exploits_auxiliaries”)
https://www.rapid7.com/db/search
Page 10
>> talk(“http_msf_requests”)
net/http library
Msf::Exploit::Remote::HTTP::Wordpress
Page 11
>> talk(“http_msf_requests”)
File Read (Traversal)
http://wordpress/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../../../etc/passwd
Page 13
>> talk(“http_msf_requests”)
WordPress Login
Check method
Page 14
@espreto
>> talk(“http_msf_requests”)
Get nonce
Page 15
>> talk(“wpsploit”)
By todb, Rapid7
Page 16
>> talk(“wpsploit”)
Page 17
>> talk(“wpsploit”)
https://github.com/espreto/wpsploit
Page 20
>> talk(“questions”)
Page 21
>> quit
$ cat contact.txt
$ shutdown –h now