Hello aspiring ethical hackers. In our previous blogpost, you learnt how to enumerate WordPress. In this article, you will learn multiple methods to reverse shell WordPress. As you all might already know, WordPress is a popular open source Content Management System (CMS) based on PHP and MySQL or MariaDB as database. It started as a basic blogging tool in 2003 but now is used by over 532 million websites.
It is very important to learn about WordPress hacking in your ethical hacking career. After you enumerate a WordPress website and gain initial access to it using credentials we got during enumeration, the next step is a gaining a shell. In this article, we will show you multiple methods to do that. So, obviously this assumes that you have already obtained WordPress credentials and have access to the WordPress dashboard.
1. Reverse shell through vulnerable plugins
One of the reasons for the popularity of the WordPress CMS is its plugins. WordPress plugins are additional extensions that are used to extend the functionality of the WordPress CMS. WordPress has over 70,000 plugins. During pen testing, we can exploit these vulnerable plugins to reverse shell WordPress.
There are many vulnerable plugins which can be downloaded from websites like Exploit Database. We will use one such WordPress plugin Responsive Thumbnail slider version 1.0. This version of the plugin has an arbitrary file upload vulnerability which is used to upload malicious payload to the website. Since this target doesn’t have this vulnerable plugin installed, let’s upload this plugin ourselves and activate it.
Once the plugin is uploaded and activated, Metasploit can be used to exploit this vulnerable plugin. Start Metasploit and load the wp_responsive_thumbnail_slider_upload module as shown below.
Use check command to confirm if the target is indeed vulnerable.
After setting the credentials and executing the module, we get a meterpreter session on the target.
Here’s another famous WordPress plugin that can be exploited.
2. Reverse shell by editing WordPress theme
WordPress themes enhance the look of the WordPress websites. The content of these themes can be edited to upload a reverse shell on the target. For this tutorial, we will upload the infamous C99 webshell.
Here’s the 404.php page of the theme has been edited to copy the code of the C99 web shell into that page. Once the edited file is saved all that needs to be done is visiting that page.
With C99 shell on the target website, there are a number of options to play with.
3. Reverse shell by uploading a malicious plugin
Uploading a malicious plugin is another way of gaining a reverse shell on a WordPress website. GitHub has many options of these WordPress malicious plugins. Let’s use one of them named malicious WordPress plugin that can be downloaded from here.
After navigating into the “malicious-WordPress-plugin” directory, execute the wordpwn.py script. It will show the usage of the script.
Execute the script again by setting the LHOST, LPORT and by enabling the handler option. i.e the “Y” option. This will start a Metasploit handler.
By this time, a new file named “malicious.zip” is created in the “malicious-wordpress-plugin” directory.
Upload this plugin into WordPress and activate it just like any other plugin.
This newly uploaded web shell can be accessed from two URLs given below.
http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php
In this specific instance, the web shell got executed by visiting the first URL. This will give us a meterpreter session on the already listening handler.
4. Reverse shell using Metasploit Framework
Here is another simple method to gain a reverse shell. Metasploit Framework has a module that uploads a reverse shell as payload once the WordPress credentials are known. Start Metasploit and load the exploit/unix/webapp/wp_admin_shell_upload module.
Set all the required options that includes credentials and execute the module.
This will give us a meterpreter session successfully. These are the four common methods using which we can reverse shell WordPress websites. You can decide your favorite method of gaining a reverse shell on WordPress. Next, learn how to enumerate Joomla, another popular CMS with Metasploit.
Follow Us
