Key Concept: Alter PHP Page Content, Upload Malicious PHP File.
Install Plugin
Install cutomized plugin :
- Generate a plugin with revshell php or msf meterpreter.
- Pack it into zip file.
- Upload using 'Install Plugin' Function.
- Enable(Activate) the installed plugin.
Install vulnerable plugin:
- Install previous & vulnerable plugin (e.g. Responsive Thumbnail Slider)
- Enable(Activate) the installed plugin.
- Exploit using MSF
Edit Theme Page
- Click: Appearance > Theme File Editor
- Select: used theme > 404.php
MSF Admin Shell Upload
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload/
Generate a plugin, pack the payload into it and upload it to a server running WordPress provided valid admin credentials are used.
