Automatically upload WordPress backdoor shell
Wpushell is a tool used to upload a backdoor shell to a site that uses a WordPress Content Management System with a simple and fast process.
Built using the Python programming language and can only be run on the command line terminal.
This tool has advantages which include:
- Fast process.
- Execution of more than one target.
- Easy to use.
Using the asyncronus method, makes this tool run quite well.
The first thing to be prepared is, of course, your computer must have python and pip installed.
There are several ways of installation:
- Clone or [download] (https://github.com/22XploiterCrew-Team/Wpushell) repository.
git clone https://github.com/22XploiterCrew-Team/Wpushell.git
- Perform the installation of the required dependencies which have been written in the
requirements.txt
file.
pip3 install -r requirements.txt
Or you can clone/download repo and install it from the directory to use as a Python package.
- Use the
setup.py
file for installation.
python3 setup.py install
- Or in a simpler way.
pip3 install .
python3 -m wpushell <target_file> [options]
or in a simpler way, If you have installed this tool as a module, you can simply run it easily like this:
wpushell <target_file> [options]
you can also run this tool not as a module by calling the run.py file, it's very simple man.
./run <target_file> [options]
Target
Simple to use by adding one argument to fetch/read files from the target site:
wpushell sites.txt
Or combine tool with other through input/output pipelining:
cat randsx/22xploitercrew/wordpress-sites.txt | wpushell -fstdin
To be able to upload your backdoor shell, you must first have managed to find the username and password (credentials) used to login to the target site.
In order for the program to read the target you have specified, the expected format should be like this:
https://target1.com/ -> [username::password]
https://target2.com/ -> [username2::password2]
So the ->
character is the separator between the site and the credentials, the credentials are wrapped in square brackets and separated using the ::
character.
Maybe this is a bit complicated, but this is the only way that comes to my mind :D.
Proxy
This tool is supported by a proxy that can be used to make HTTP requests, simply do it like this:
wpushell sites.txt -x socks5://127.0.0.1:1337
This tool expects a proxy of type socks5, so I hope you do what it says.
You can search for proxies through the websites of free proxy providers such as https://spys.one/en/socks-proxy-list/.
If you find any errors in this tool, we hope you can help us by contributing to make this tool even better than before, or you can create a new issue to describe the program errors you find.
The Wpushell is opened-source tool licensed under the MIT license.