0xma Cyber Security Articles




August 13, 2021

Reverse Shell in WordPress via Theme (Template) Edit Feature

In this tutorial we will see how to get a reverse shell on a WordPress server by editing a theme. The assumption is that we already have administrative access to the WordPress server which allows us to edit a template.

Let's login to the WordPress server.

Login to WordPress.

Upon a successful login, we will see the Dashboard page.

WordPress dashboard.

On the sidebar, hover your mouse over "Appearance" and then click on "Editor".

Open the theme editor.

From the drop-down list on the top-right corner, select a theme to edit which in this case is the "Twenty Seventeen" theme and then click on a template to edit which in this case is the 404 Template (404.php).

Open the 404.php template file in the Twenty Seventeen theme.

Now we need a PHP reverse shell to insert into the template code. So, let's copy a PHP reverse shell that comes in Kali Linux to our working directory (this step is not really necessary).

Copy the PHP reverse shell file to the current working directory.

We modify the PHP reverse shell by entering our own IP address and the port on which we will be listening.

Modify the PHP reverse shell file.

After copying the PHP reverse shell, we paste it into the template file.

Paste the PHP reverse shell into the template file.

And then we click on "Update File".

Update the template file.

WordPress displays the message that says "File edited successfully.".

template edited successfully.

Now that the template file contains our PHP reverse shell code, we can run the reverse shell by browsing the template file via a browser such as Firefox, Chrome, etc. or we can also trigger the reverse shell by using wget.

curl command to trigger the template file.

Please note that we have to have a listener running before we trigger the reverse shell in the previous step. Running nc -lvnp 1234 creates a listener and when we trigger the reverse shell code, we receive a connection from the target. Now we have access to the WordPress server with the privileges of "www-data".

netcat (nc) reverse shell connection.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.