Wordpress admin shell upload manual method?

I searched around and saw a lot of very specific questions about the SHIELD machine in Starting Point, but my question is a bit more general. I’m less interested in learning how to use MSF inside and out than I am in knowing exactly what’s going on with the machines I’m hacking, the underlying theory, why what I’m doing is working so I can get better.

The Rapid7 page on wp_admin_shell_upload says that the module is generating a WP plugin that is then uploaded to pop the shell. Okay. Maybe I don’t always have easy access to MSF, or maybe I’m more interested in the “why” than the result. It’s also not clear which CVE this module exploits, exactly, from the given documentation. Wordpress has had a LOT of vulnerabilities, it turns out lol. Even in 2015 alone.

The source code for the module isn’t super helpful, as it’s very msfconsole-specific. Could someone with the know-how please walk me through a manual way of exploiting this? Alternatively, which CVE should I be looking at if I want to do some research on my own?

General internet searches have led me to a lot of videos and such of people using wpscan to brute force the credentials, but here, I already have the credentials. Lot of resources just walking you through how to use a particular msf module ("look at the options, here’s what “rhosts” is, yada yada) and again, not really what I’m looking for here.

Is it as simple as uploading (and then finding and running) some standard malicious php reverse shell script, or does it have to be a WP plugin specifically? Or some other special method I don’t know about?

As far as I know, it really is only a simple PHP webshell wrapped into the shape of a wordpress plugin. Here’s the relevant part from the Wordpress dev page about how plugins work:

When WordPress loads the list of installed plugins on the Plugins page of the WordPress Admin, it searches through the plugins folder (and its sub-folders) to find PHP files with WordPress plugin header comments. If your entire plugin consists of just a single PHP file, like Hello Dolly, the file could be located directly inside the root of the plugins folder. But more commonly, plugin files will reside in their own folder, named after the plugin.

Basically, the PHP file has to start with the header comment that tells Wordpress that it belongs to a plugin: Header Requirements | Plugin Developer Handbook | WordPress Developer Resources
From there, you are then free to add whatever PHP code you want. Keep in mind though, that (at least sometimes) the system() and other “dangerous” functions can be deactivated on the server :wink:

Type your comment> @HomeSen said:

As far as I know, it really is only a simple PHP webshell wrapped into the shape of a wordpress plugin. Here’s the relevant part from the Wordpress dev page about how plugins work:

*snip*

From there, you are then free to add whatever PHP code you want. Keep in mind though, that (at least sometimes) the system() and other “dangerous” functions can be deactivated on the server :wink:

Oh wow, that’s pretty simple. So I could just take any PHP shell I’ve got lying around and tack a WP plugin header/signature on it? Dang. I’ll have to try testing that on SHIELD. Thanks for the info!

@applebaps said:

Oh wow, that’s pretty simple. So I could just take any PHP shell I’ve got lying around and tack a WP plugin header/signature on it? Dang. I’ll have to try testing that on SHIELD. Thanks for the info!

According to the docs, this is all that needs to be done, yes.

This is interesting! I am looking to do the same manually. I have my reverse shell plugin ready. Also I have my admin credentials ready.

But how to upload manually like the Metasploit module, without accessing the wp-admin page?

(I know how to upload reverse shells from the wp-admin but Metasploit does it without needing to accessing the wp-admin)

@II0 said:

This is interesting! I am looking to do the same manually. I have my reverse shell plugin ready. Also I have my admin credentials ready.

But how to upload manually like the Metasploit module, without accessing the wp-admin page?

(I know how to upload reverse shells from the wp-admin but Metasploit does it without needing to accessing the wp-admin)

Haven’t looked into the code, but it’s most likely possible via the xmprpc.php endpoint. But it might as well be that MSF just does the whole:

  • log into wp-admin
  • grab CSRF token for plugins upload
  • upload plugin
  • activate plugin

dance :wink:
Just because it doesn’t visually open the wp-admin page, doesn’t mean it really isn’t using it.