Takeover web hosting server using WordPress files – part two

Disclaimer: This post is for educational purpose only. The post shows what a hacker can do if WordPress files is left without installation. This is to show other author out there who are just starting blogging. The author is not responsible if someone use it for illegal purpose.

This is the follow up of the first post on Takeover web hosting server using WordPress files. Let’s call this post as Takeover web hosting server using WordPress files part two.

As said before, the fun part starts from here. Now that we have admin access to the WordPress, there are unlimited things that we can do. Think like a hacker. First thing a bad actor do is to find the server type. If the server hosting this account is a dedicated server, a testing/staging server or a shared server. In any case, if someone got the access of WordPress admin then it is like they own the server. Here I will show you how a hacker can upload a PHP payload and run Linux commands. If you do not know what a payload is then you can think it as a piece of code which will do a task for us.

From admin dashboard go to theme editor (Appearance –> Theme Editor)

In theme editor, choose 404 template as shown below in the image and insert the following php command at the top of it

The character has changed, please check the screenshot for exact syntax.

Click on Update button

Next thing, we will browse the 404 page directly. Generally, it is use to show that page does not exists if someone intentionally or unintentionally wanted to browse something that is not in the website. We will see the same 404, without anything here. But we will do something else other than simply browsing the 404 page. We will append ?cmd=linux-commands at the end of PHP. The Linux commands can be anything. You will get more idea in the following screenshot.

ls is a simple Linux command which will just list the files and directories. As you can see above we were able to run the Linux command. From here a hacker can run commands and do much more. S/he can inject bad JavaScript/PHP script, use your website for advertisement, spam, etc.

To summarize, may be developer did not have enough time to install your WordPress website or you might be trying to install it but forgot to install it, you should never and never let other people to leave the installation files ignored in a web root directory.

That is all for now. See you in next post.

Leave a Reply

Your email address will not be published. Required fields are marked *