Wordpress to Shell

There is one step, automated in Metasploit, which penetration testers need time-to-time: getting a shell from the admin account of a Wordpress installation.

Here I show you the easiest way to achieve it manually. It will also bring you understanding of how it might be done automatically by tools like Metasploit.

Disclaimer On this web site you might read about or get access to various kinds of software and technology, including but not limited to libraries, operating systems, software for communications, mobile phones and tablets, Android software and Linux, even cars and motorcycles, security and penetration testing software, software used in security research and forensics, some samples of software which can be used (elsewhere) for malicious or illegal purposes. You will read about or be provided with the ways to change it, to operate it and to use it. You might find advice and recommendations, which are only an opinion, and not a legal advice or commercial recommendation..
Bear in mind, please, that everything you do, you do solely at your own risk and responsibility. In no way the author of this web site, information, graphics and other materials presented here or related to it can be made liable or anyhow else responsible for your own actions as well as actions of any third party and their direct or indirect results or consequences with or without the use of this information as well as the software, technology and systems mentioned and/or presented here, no matter if developed by the author or by any third party.
In no way it is guaranteed that you will meet any suitability for any particular purpose, safety, security, legality or even simply functioning of the software and systems described here. You have to make sure each time yourself, whether what you do, is really what you intend to do, and that you are ready to be yourself responsible for. All the recommendations and experiences described here are the opinions of corresponding authors and are to be taken with care and own full responsibility.
The software provided on or through this web site, linked to from this web site or anyhow else related to this web site is provided by the corresponding authors on their own terms. We provide all the software here as is without any guarantees to you. You are responsible for deciding whether it is suitable for you or not. You are also responsible for all direct or indirect consequences of using this software.
Other web sites linked to from the current one are out of the author's control, we can not guarantee anything about their content, its quality or even legality. We can not be liable for any use of the linked to web sites or of the information presented there.
We reasonably try to keep this website running smoothly and to deliver information to the best of our knowledge corresponding to the state of the art at the times when the information is composed, usually presented together with the information, and out of good intents. We can not however guarantee and can not be liable for this website being temporarily or permanently unavailable, presenting unreliable information or software, or any other similar or not malfunctioning or functioning not up to your expectations as well as any consequences which might result from this site's operation.

This is a pentesting article. You should know what you are doing, and have permission to do so. Otherwise you might end-up in jail. In no way I am responsible for any use of this article. If you do not understand it or disagree, please, leave.

WordPress login page

So you know the way past this login page? - Good.

Now you also want to get a nice reverse shell, like this one (copy one, copy two) and apply it.

What is the easiest way to do it when you have the access to Wordpress administration interface? - Well, you shall paste it somewhere and save in the admin interface in a PHP script, which you can easily call later.

I suggest you to go to Appearance, then to Editor, then pick any of the PHP files in the templates, I chose footer.php, and paste there the reverse shell code. Don't forget to change the IP and the port to the ones set up your listener to.

WordPress Theme Editor - editing footer.php

Now let's set up a listener and visit some page which has a footer in Wordpress, e.g. the home page. And voilà!

Reverse shell connected back to nc

Enjoy your shell!