> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/web-enumeration-cms.md).

# Cms

## Nmap Script for WordPress Plugin Enum

Use the `http-wordpress-enum` Nmap script to enumerate installed WordPress plugins and themes, and potentially their versions on a target host. This can reveal specific software versions to search for known exploits. The script attempts to enumerate installed WordPress plugins and themes, along with their versions.

```bash
nmap --script http-wordpress-enum --script-args host=target.com
```

Replace `target.com` with the actual target hostname or IP address.

The script supports several arguments to refine the scan:

* `http-wordpress-enum.pluginsonly`: Only enumerate plugins.
* `http-wordpress-enum.themesonly`: Only enumerate themes.
* `http-wordpress-enum.search`: Search for a specific plugin or theme by name.

Here are examples using these arguments:

To enumerate only plugins:

```bash
nmap --script http-wordpress-enum --script-args http-wordpress-enum.pluginsonly=true target.com
```

To enumerate only themes:

```bash
nmap --script http-wordpress-enum --script-args http-wordpress-enum.themesonly=true target.com
```

To search for a specific plugin, for example, 'akismet':

```bash
nmap --script http-wordpress-enum --script-args http-wordpress-enum.search=akismet target.com
```

The `-sV` option is also commonly used with this script to attempt to determine service versions running on the target, which can complement the script's findings.

```bash
nmap -sV --script http-wordpress-enum target.com
```

***

## Wordpress Username Enumeration via Login Form

Leverage the difference in error messages returned by the WordPress login form (`/wp-login.php`). When a non-existent username is submitted, the server often returns a distinct message compared to when a valid username but incorrect password is used. This difference can be exploited to enumerate valid usernames from a list. Specifically, WordPress is vulnerable to user enumeration because it provides different error messages for invalid usernames and passwords on the login page. If a user enters an invalid username, the login page typically returns the message 'Invalid username'. If a user enters a valid username but an incorrect password, the login page typically returns the message 'Invalid password'. This distinction allows an attacker to determine which usernames are valid.

Use `hydra` with the `http-post-form` module to automate this. Provide a dictionary of potential usernames (`-L`) and a dummy password (`-p`). Configure `hydra` to identify the specific response string (`F=Invalid username` in this case) that indicates an *invalid username* was used. The `http-post-form` module is used to interact with the login form. The module expects the target specification in the format `"URL:POST_DATA:OPTIONS"`. The string after `/wp-login.php:` defines the POST data (`log=^USER^&pwd=^PASS^`) and the failure condition (`:F=Invalid username`). The `F=<string>` option specifies a string that indicates a failed login attempt. Hydra can be configured to detect the 'Invalid username' message and thus identify valid usernames.

```bash
hydra -L fsocity.dic -p pass 10.10.210.226 http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username"
```

Another example demonstrating the command structure:

```bash
hydra -L users.txt -p dummy_password http://target-wordpress.com http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=Invalid username"
```

Hydra will iterate through the username list. If the response contains the specified failure string, the username is marked as invalid/non-existent. Usernames that do *not* trigger this specific response are likely valid. Adjust the failure indicator (`:F=Invalid username`) based on the target's specific error messages observed. The `http-post-form` module also supports other options like `S=<string>` for success, `B=<string>` for bad password, and `L=<size>` for response size. Another approach is to look for a different response size (`:L=`) for invalid usernames compared to valid ones, although checking the specific error message (`:F=`) is often more reliable. The POST data for the WordPress login form typically includes parameters like `log` (for username), `pwd` (for password), and `wp-submit` (for the submit button value).
