In this tutorial, we will demonstrate how to easily upload a backdoored PHP web shell on a target WordPress site via the attacker’s browser with previously acquired WordPress admin credentials. We’ll also provide some useful security tips on preventing adversaries from uploading a PHP web shell.
Web shells are deemed to be post-exploitation tools. Prior to a web shell being deployed in a cyber attack, a vulnerability ought to be discovered on an adversarial web application.
A common method to initially uploading a web shell on a target’s site is by means of a web page where file uploading is possible. For instance, an attacker could utilize a form on the target’s website which permits visitors to submit something. In that case, a local file inclusion (LFI) vulnerability may be executable in the target web application to include the web shell in the relevant page.
Disclaimer: This is an ethical hacking tutorial. We are not responsible for your own actions.
Uploading A Shell On A WordPress Site
We will illustrate two ethical hacking methods for uploading a web shell to a WordPress site easily.
Method 1: File Manager Plugin
We will install a WordPress plugin called File Manager that will permit us to install a PHP web shell on the target server.
Before we can proceed, ensure that you are logged in as a WordPress admin to access the backend dashboard.
1. In The WordPress Admin Dashboard, Go To Plugins > Add New.
In the search box located to the right, type “file manager“.
2. Click “Install Now” Button Of File Manager To Install The Plugin.
The File Manager plugin allows us to upload a shell easily to the target site.
3. Click “Activate” Button Of File Manager To Activate The Plugin.
4. Go To File Manager.
5. Upload Your PHP Web Shell Via File Manager Plugin.
In this tutorial, we’ll choose to upload the c99 shell to our test server.
6. Under File Manager Manager, Click On Your PHP Shell.
Our example shows that we select c99.php.
7. Observe That Your Shell Has Been Uploaded.
Congratulations! Your shell has been updated to the target server.
If you want to delete a shell, go back to the File Manager interface and right click to delete it.
Method 2: Theme Upload
Another way to upload a shell on a WordPress site is to put in the shell in the theme folder and compress it to a zip folder. You could even modify an existing theme file and insert the backdoor code into it.
This technique could serve to be more viable than directly editing a theme’s file using the Theme Editor built-in WordPress. The reason is that the site administrator may have already disabled the ability to edit theme files in the WordPress interface for security purposes.
Preventing Hackers From Uploading A PHP Web Shell
Preventing attackers from being able to upload and execute their web shells is undoubtedly feasible. The subsequent recommendations may assist in mitigating the risks of webshells:
- Deploy a reputable enterprise Web Application Firewall (WAF) such as F5, Akamai, or Imperva. Either on-premises, in the cloud, or a combination of both will suffice. Note that a WAF does not serve as a substitute for poor security habits. An attacker may be able to bypass a WAF contingent on the circumstances.
- Obtain third-party penetration testing services to perform penetration testing on your server and application.
- Patch the system and application when an update is available as soon as possible.
- In the event that your site has become compromised by a malicious cyber actor, you ought to modify all of your existing account credentials that are tied to your site. Moreover, your customer’s credentials will also be compromised, and they should be notified to alter their credentials as well.
- Customize your default WordPress installation and apply hardening techniques to strengthen the CMS. For example, change the name of your WordPress contents folder (default is wp-content) and uploads folder (wp-content/uploads) to decrease the risk of compromise by automated hacking tools and bots.
- Install and use a security plugin such as Wordfence or iThemes Security Pro.
- Modify your server’s existing php.ini file to forbid base64_decode functionality. Locate the line that says “disable_functions =” and modify it to “disable_functions = eval, base64_decode, gzinflate”.
- Professional penetration testers should always deploy manual and automated pentests including web vulnerability scanners such as Acunetix and Burp Suite Professional.
- Use ModSecurity to scan every attachment file that is uploaded.
- Be aware that particular file types like .jpg and .gif may include destructive PHP code inside the image headers.
- Utilize two-factor authentication on the WordPress CMS to decrease security risks in your corporate environment.
The above advice is significant, but there are other ways to improve WordPress security.
It is essential to protect your WordPress installation as hackers can always take advantage of free tools to scan your site for potential vulnerabilities that they can exploit.