Create a Wordpress Webshell plugin

Create a Wordpress Webshell plugin

Webshells are a really useful stepping stone on the path to a proper reverse shell. The idea is that they use popular scripting based approaches such as PHP to accept some parameters in a GET request. That data then gets executed as a system level command - i.e. against the underlying operating system used by the web site.

The types of activity you can perform are dependent on the privileges associated with the account running the web server. So, highly unlikely to be a direct way to getting root then, but still, a useful way of establishing a foothold. For instance, you might use a webshell to transfer files that could perform local reconaissance. Perhaps you may use a webshell to return a reverse shell back to your attacking computer.

Using a webshell depends on you being able to get code onto a web server. Perhaps you might have found an insecure file upload facility that enables you to upload some sort of webshell. Alternatively, an admin may have left a ‘hidden’ admin console that can be forced to do what you want.

In a Wordpress scenario, you might have struck lucky and found some admin creds for management console, which could allow you to dump a reverse shell script into a ‘404 template’. While that might work, it would get noticed incredibly quickly - so many reverse shells could be getting returned to an attacker IP address, simply due to people fat-fingering a web page address.

Wordpress has it’s own plugin system to extend system functionality. Well, with a little PHP code and careful choice of naming conventions, you might just blend in for a while longer.


You have already gained administrative control of a Wordpress installation.

Creating the webshell plugin

Creating a webshell plugin is very easy to do, so long as you follow a specific template that I have provided below. The code can also be downloaded from my github repo here:

* Plugin Name: WonderfulWebshell
* Plugin URI:
* Description: Wordpress webshell used for demo purposes only
* Version: 1.0
* Author: jckhmr
* Author URI:
* License: https://nosuchlicense


The comments are really the metatdata fields that Wordpress requires. Pretty explanatory stuff. The ‘if’ component is really simple - it looks for a querystring parameter called ‘cmd’. A ‘system’ command is then executed per the supplied value of ‘cmd’. In essence, the malicious plugin is a webshell that will execute commands at the operating system level.

Zipping up the plugin

You need to zip the file up …. i.e. in my case since I used the very imaginative php filename of ‘plug.php’, the corresponding zip file was called ‘’.

Uploading the plugin

To get the webshell plugin working in Wordpress, the following steps apply (I assume you are still logged into the admin control panel):

  • on the control menu at the left, click ‘Plugins’ and then ‘Add New’

Lazysysadmin walkthrough by @jckhmr_t - Adding a new Wordpress plugin

  • Click on ‘Upload Plugin’

Lazysysadmin walkthrough by @jckhmr_t - Uploading a Wordpress plugin

  • Click on ‘Browse …’

Lazysysadmin walkthrough by @jckhmr_t - Browsing for wordpress plugin file (.zip)

  • Find and select the required filed, followed by clicking on the ‘Open’ button (the top-right corner of the file dialog).

Lazysysadmin walkthrough by @jckhmr_t - Selecting the required Wordpress plugin file (.zip)

  • Click the ‘Install Now’ button

Lazysysadmin walkthrough by @jckhmr_t - Click the 'Install Now' button to install a Wordpress plugin

  • Click the ‘Activate Plugin’ button.

Lazysysadmin walkthrough by @jckhmr_t - Activating the Wordpress plugin

  • Underneath the title of the plugin, click on the ‘Activate’ link

Using the plugin

To see the webshell plugin in action, take a a look at the Lazy Sysadmin writeup.

Hopefully you find the plugin a useful addition to your toolkit. I’d be grateful for your feedback/comments/suggestions. You can find me on twitter: @jckhmr_t

Article Photo: Kevin Ku,