Skip to content

FEATURES_EN.md

Latest commit

 

History

History
215 lines (163 loc) · 7.95 KB

FEATURES_EN.md

File metadata and controls

215 lines (163 loc) · 7.95 KB

WpShellUploader — Feature Documentation

Overview

WpShellUploader is a WPF (Windows Presentation Foundation) desktop application developed in C# (.NET 6) designed for automated web shell uploading to WordPress sites. The tool first validates credentials, then attempts to upload a PHP shell using 9 different upload methods, and finally verifies that the shell is accessible.

Project Architecture

The project follows the MVVM (Model-View-ViewModel) design pattern:

WpShellUploader/
├── Models/           → Data models (WpTarget)
├── Views/            → XAML UI (MainWindow)
├── ViewModels/       → UI Logic (MainViewModel, DynamicSemaphore)
├── Services/         → Business services (ShellUploadService, AdaptiveThreadManager, FileService)
├── Converters/       → Value converters for XAML bindings
├── Themes/           → Dark visual theme (DarkTheme.xaml)
├── Files/            → Payload files (index.php, plugin.zip, theme.zip)
├── App.xaml          → Global app configuration
└── WpShellUploader.csproj → .NET 6 project file

Key Features

1. Nine Web Shell Upload Methods

The tool attempts to upload the shell using 9 different methods in order of reliability:

# Method Description
M1 Plugin Upload Uploads a malicious plugin ZIP via /wp-admin/update.php?action=upload-plugin
M2 Theme Upload Uploads a malicious theme ZIP via /wp-admin/update.php?action=upload-theme
M3 Theme Editor Injects code into the theme editor (/wp-admin/theme-editor.php)
M4 Plugin Editor Injects code into the plugin editor (/wp-admin/plugin-editor.php)
M5 Media REST Uploads file via WordPress REST API (/wp-json/wp/v2/media)
M6 File Manager Uses file manager plugins if installed
M7 Ajax Upload Uploads via WordPress AJAX endpoint (admin-ajax.php)
M8 XML-RPC Uploads file via XML-RPC wp.uploadFile method
M9 Direct Write Attempts to write directly to the server

Each method includes post-upload verification to confirm the shell is accessible.

2. Adaptive Threading System (AIMD)

The AdaptiveThreadManager uses a strategy similar to TCP congestion control:

  • AIMD (Additive Increase, Multiplicative Decrease):

    • Additive increase: Gradually increases threads when the network responds well
    • Multiplicative decrease: Drastically reduces when problems are detected

  • Initial auto-detection:

    • Analyzes system CPU cores
    • For I/O tasks (HTTP), optimal concurrency is much higher than CPU core count
    • Base formula: cores × 10 for minimum, cores × 30 for maximum

  • Real-time dynamic adjustment:

    • Monitors network success/failure rates
    • Differentiates between login errors (not network errors) and real timeouts
    • Adjusts at each interval based on performance metrics

  • Manual mode: A fixed thread count can be specified (0 = auto-detect)

3. DynamicSemaphore — Resizable Semaphore

Custom semaphore implementation that can be resized at runtime:

  • Increase: Releases additional permits immediately
  • Decrease: Permits are consumed naturally as workers complete
  • Thread-safe: Protected with lock for resize operations

4. Credential Validation via XML-RPC

Before attempting upload, validates credentials using:

  • wp.getUsersBlogs — Login verification
  • wp.getProfile — Role and capability extraction
  • Role detection (Administrator, Editor, Author, etc.)

5. Post-Upload Shell Verification

After each upload method:

  1. Constructs the expected shell URL
  2. Makes a GET request to the shell
  3. Searches for a specific marker in the response
  4. Confirms the shell is operational

6. Multi-Format Input Support

Accepts credentials in the same formats as WpSiteChecker:

Format Example
Hash (# + @) https://example.com#user@password
Pipe (|) https://example.com|user|password
Em-dash () https://example.com–user–password
ULP/Colon (:) example.com/wp-login.php:user:password

7. Included Payload Files

The project includes payload files in the Files/ directory:

File Description
index.php Obfuscated PHP shell (main payload)
plugin.zip WordPress plugin packaged with the shell
theme.zip WordPress theme packaged with the shell
plugin/ Decompressed plugin directory
theme/ Decompressed theme directory

8. Detailed Real-Time Statistics

The interface displays:

  • Total targets in file
  • Processed / Login OK / Shell OK
  • Login Failed / Upload Failed / Timeouts
  • Administrators / Editors / Authors
  • Active threads / Optimal threads
  • Success rate (% shells over processed)
  • Login rate (% logins over processed)
  • Speed (sites/second)
  • Progress (percentage bar)
  • Elapsed time (HH:MM:SS format)
  • Thread mode (Auto/Manual)

9. Organized Result Export

Results are saved to Results/Results_YYYY-MM-DD_HH-mm-ss/:

File Content
login_ok.txt Successful logins
shells.txt Uploaded shell URLs
shells_full.txt Shells with method and full credentials
login_failed.txt Failed logins with error details
upload_failed.txt Login OK but upload failed
administrators.txt Administrator accounts
editors.txt Editor accounts
authors.txt Author accounts
method_*.txt Results by upload method
Successfully_logged_WordPress.txt Successful login in hash format

10. Interface Features

  • Import file — Select credentials file
  • Start/Stop processing
  • Copy shells to clipboard (all shell URLs)
  • Open results folder in file explorer
  • Filter by role (All, Administrator, Editor, Author)
  • Auto Threads toggle — Enable/disable adaptive threading
  • Configure timeout (5-120 seconds)
  • Configure threads (0=auto up to 500)
  • Activity log with timestamps (max 500 entries, reverse order)

11. Intelligent Network Error Management

The system correctly differentiates between error types:

Error Type Network error? Threading effect
Wrong credentials No — server responded Does not penalize threads
Timeout Yes — server did not respond Reduces threads
Connection refused Yes — could not connect Reduces threads
Host not found Yes — DNS failed Reduces threads

12. Streaming Processing

  • Asynchronous line-by-line file reading
  • Does not load entire file into memory
  • Producer-consumer pattern with DynamicSemaphore

13. Security & Robustness

  • Permissive SSL/TLS: Accepts self-signed certificates
  • Rotating User-Agent: Emulates real browsers
  • Nonce extraction: Extracts WordPress security tokens for each operation
  • Automatic decompression: GZip and Deflate
  • Redirect and cookie handling
  • Safe cancellation: Full CancellationToken support

Technical Requirements

  • Framework: .NET 6 (Windows)
  • Application type: WPF (Windows Presentation Foundation)
  • Dependencies: System.Text.Json v8.0.5
  • Operating system: Windows 10/11
  • Requirement: Files/ folder with index.php (PHP shell)

Workflow

1. Application loads shell from Files/index.php
2. Import credentials file (.txt)
3. Configure threads (0=auto, 1-500) and timeout (5-120s)
4. Start processing:
   a. Initialize AdaptiveThreadManager
   b. For each target (streaming):
      i.   Parse credentials (multi-format)
      ii.  Validate login via XML-RPC
      iii. If login OK: detect role
      iv.  Try 9 upload methods in sequence
      v.   Verify shell is accessible
      vi.  Save organized result
   c. Adjust threads dynamically (AIMD)
5. Display real-time statistics
6. On completion: final summary with speed and rates