Thursday, May 26, 2016

How to wordpress website with Sqli vul.+ shell upload+ deface []

As requested by few of you i decided to make this small tutorial on how to a wordpress site that has an SQLi in plugin.
watch this tutorial for more help:

So lets begin.
I will use this 0dayby JoinSeventh.

First of all we need to find a vulnerable page.
We enter this in Google:
:# Dork 1 (config.p)

# Dork 2 (playlist.p)

# Dork 3 (eral):
When you found your site you need to find admin email and username.
I will be using this site for example:

When i add ' text disapprs so it is vulnerable.

NOTE: I will not demonstrate how to SQL inject.

Now we need admin username and email.
We need to inject:
: UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Now we have 2 users.

We pick one and copy his email.
Go to the login page of the site.
It is usually here:
And press "Lost your ?"

Now you enter either username or email.
We can enter both so it doesnt matter.
I entered email.

Now when you got:

"Check your e-mail for the confirmation link."

It mns that reset is successfully sent.
Now we need to get the .

Go back to the syntax you used for extracting email and username and do this:
: UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--

: UNION SELECT 1,2,3,group_con(user_login,0x3a,user__,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Now we just need to reset it.

Go to:
NOTE: Replace = & login=

So my link will be:

Enter new :

Login with new and shell it.

Download p shell

No comments:

Post a Comment