GitBook: [master] 2 pages and 8 assets modified

2024-11-21 20:23:18 +00:00 · 2020-12-27 11:12:11 +00:00 · 2020-12-27 11:12:11 +00:00 · 4b226b1c1b
commit 4b226b1c1b
parent 496b292e26
10 changed files with 68 additions and 1 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/forensics/basic-forensics-esp/linux-forensics.md
+++ b/forensics/basic-forensics-esp/linux-forensics.md
@ -326,7 +326,7 @@ Every block group contains the following pieces of information:
 * inode table: it consists of a series of consecutive blocks, each of which contains a predefined Figure 1 Ext2 inode number of inodes. All inodes have the same size: 128 bytes. A 1,024 byte block contains 8 inodes, while a 4,096-byte block contains 32 inodes. Note that in Ext2, there is no need to store on disk a mapping between an inode number and the corresponding block number because the latter value can be derived from the block group number and the relative position inside the inode table. For example, suppose that each block group contains 4,096 inodes and that we want to know the address on disk of inode 13,021. In this case, the inode belongs to the third block group and its disk address is stored in the 733rd entry of the corresponding inode table. As you can see, the inode number is just a key used by the Ext2 routines to retrieve the proper inode descriptor on disk quickly
 * data blocks, containing files. Any block which does not contain any meaningful information, it is said to be free.

-![](../../.gitbook/assets/image%20%28414%29.png)
+![](../../.gitbook/assets/image%20%28418%29.png)

 The Superblock contains a description of the basic size and shape of this file system. Usually only the Superblock in Block Group 0 is read when the file system is mounted but each Block Group contains a duplicate copy in case of file system corruption.

--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@ -277,6 +277,73 @@ use exploit/unix/webapp/wp_admin_shell_upload

 to get a session.

+## Plugin RCE
+
+### PHP plugin
+
+It may be possible to upload .php files as a plugin.  
+Create your php backdoor using for example:
+
+![](../../.gitbook/assets/image%20%28417%29.png)
+
+Then add a new plugin:
+
+![](../../.gitbook/assets/image%20%28416%29.png)
+
+Upload plugin and press Install Now:
+
+![](../../.gitbook/assets/image%20%28420%29.png)
+
+Click on Procced:
+
+![](../../.gitbook/assets/image%20%28421%29.png)
+
+Probably this won't do anything apparently, but if you go to Media, you will see your shell uploaded:
+
+![](../../.gitbook/assets/image%20%28415%29.png)
+
+Access it and you will see the URL to execute the reverse shell:
+
+![](../../.gitbook/assets/image%20%28414%29.png)
+
+### Uploading and activating malicious plugin
+
+#### **\(This part is copied from** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)**\)**
+
+Some time logon users do not own writable authorization to make modifications to the WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to acquiring a web shell.
+
+So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.
+
+Click [**here**](https://www.exploit-db.com/exploits/36374) ****to download the plugin for practice.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-Y_Aw7zSFJZs/XY9pymSjdvI/AAAAAAAAguY/FGyGEzlx9VIqNYyyra9r55IklNmwXwMQwCLcBGAsYHQ/s1600/10.png?w=687&ssl=1)
+
+Since we have zip file for plugin and now it’s time to upload the plugin.
+
+Dashboard &gt; plugins &gt; upload plugin
+
+![](https://i0.wp.com/1.bp.blogspot.com/-FLhqB0I32Mg/XY9pyrlKWAI/AAAAAAAAguU/tofpIetTCv4Mho5y5D_sDuuokC7mDmKowCLcBGAsYHQ/s1600/11.png?w=687&ssl=1)
+
+Browse the downloaded zip file as shown.
+
+![](https://i2.wp.com/1.bp.blogspot.com/-KMumiwE2Tf0/XY9pzznEI4I/AAAAAAAAguk/BavBJP6plFo8NIpa38oWEKfx0jkOXv3HgCLcBGAsYHQ/s1600/12.png?w=687&ssl=1)
+
+Once the package gets installed successfully, we need to activate the plugin.
+
+![](https://i2.wp.com/1.bp.blogspot.com/-YrFg94Y2EZs/XY9pzydfLDI/AAAAAAAAgug/AjZyQ6Na8kUUmquJXwoapxcmr2-8nAMwQCLcBGAsYHQ/s1600/13.png?w=687&ssl=1)
+
+When everything is well setup then go for exploiting. Since we have installed vulnerable plugin named “reflex-gallery” and it is easily exploitable.
+
+You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:
+
+| 1234 | use exploit/unix/webapp/wp\_slideshowgallery\_uploadset rhosts 192.168.1.101set targeturi /wordpressexploit |
+| :--- | :--- |
+
+
+As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-s6Yblqj-zQ8/XY9pz0qYWAI/AAAAAAAAguo/WXgEBKIB64Ian_RQWaltbEtdzCNpexKOwCLcBGAsYHQ/s1600/14.png?w=687&ssl=1)
+
 ## Post Exploitation

 Extract usernames and passwords: