Wopper is a tool designed for exploiting WordPress vulnerabilities, allowing attackers to upload, execute, and obfuscate PHP files efficiently. It supports various operations with minimal commands and is potentially useful for both offensive and defensive cybersecurity strategies. Affected: WordPress websites
Keypoints :
- WordPress powers approximately 43% of all websites on the Internet.
- Code execution is one of the most dangerous attacks possible after obtaining admin credentials.
- The process involves logging into admin, uploading a PHP file, and executing it.
- Wopper automates the exploitation process, enabling multiple operations with single commands.
- The tool can upload, execute, delete, obfuscate PHP files, and convert scripts to self-destructing versions.
- Default, Scrub, Inject, and Command modes provide various functionalities based on user needs.
- Detection strategies are suggested to mitigate Wopper’s exploitation capabilities effectively.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Uploading and executing malicious PHP files using admin credentials.
- T1071 – Application Layer Protocol: Utilizing HTTP to upload files (e.g., /wp-admin/update.php).
- T1609 – Container Admin: Potential use of web server processes to spawn child shell processes.
Indicator of Compromise :
- [URL] /wp-admin/update.php?action=upload-plugin
- [URL] /wp-content/uploads/ (Potential upload destination for malicious files)
- [User-Agent] Wopper by NetSPI
- [File Extension] .php (PHP files created during upload)
- [Process] HTTPD spawning /bin/sh or bash (indicating a web server exploit)