Tweet
Greetings, Earthpeople!
We'll see now something that many of us ever passed by, but didn't know what to do. I'll also show off why it isn't needed to break WordPress passwords hashes in most of the times.
Imagine if some website was WordPress, and by exploiting some vulnerability (like SQLi), you could access the users table (usually 'wp_users'). But the hash (crypt) used in WordPress passwords makes you afraid. In this case, what would you do?
We'll see now that there's no reason for panic (if you're not the administrator... and are not afraid with the jail).
After confirming that the site is vulnerable and have access to the user tables, I encounter my rival, who I have working for me: the administration panel.
And in here, we have the wp_users table, with all the users. The columns which really interest us are only user_login and user_activation_key.
Now I'll explain: when we use the "Forgot password", it is generated a token and saved in the users table, in the "user_activation_key" column, for the verification of the user's email. A link is sent for the administrator email and, in that link, we have, via GET method, the user login and the token. Our mission is, without having access to the administrator email, rebuild that link and access it.
Firstly, we will click in "Lost your password?", below the login formulary.
We will fill up the user login, that we got in the users' table. Because of a plugin installed on this example site, we have also to fill up a basic math question, as a captcha. Then, click in Get New Password.
Done, the token is generated and saved in the database. We will now get again the data and copy the value of the column user_activation_key.
Then, we will use the following model in order to create the URL:
Our URL will be like that, for this website:
By opening this URL on our browsers, we already can choice the new password for the user 
Choice the password that you want. Yes, it's serious. After it, we receive, happily, the message telling us that the password was changed successfully.
It matters to know now that the administrator is noticed, via email, about the password changing. So, if he has some device (like a cellphone) synchronized with the emails, he will know immediately that he's being hacked. It brings a kind of fight not so good to see, where both are trying to change the password lastly (like a poors' fight).
By clicking in the "Log In" link, we're led to the administration panel. In here we already can login with the username that we obtained in the "user_login" column from the "wp_users" table in the MySQL, and the password that we just chose.
Owned.
(By 0KaL)
We'll see now something that many of us ever passed by, but didn't know what to do. I'll also show off why it isn't needed to break WordPress passwords hashes in most of the times.
Imagine if some website was WordPress, and by exploiting some vulnerability (like SQLi), you could access the users table (usually 'wp_users'). But the hash (crypt) used in WordPress passwords makes you afraid. In this case, what would you do?
We'll see now that there's no reason for panic (if you're not the administrator... and are not afraid with the jail).
After confirming that the site is vulnerable and have access to the user tables, I encounter my rival, who I have working for me: the administration panel.
And in here, we have the wp_users table, with all the users. The columns which really interest us are only user_login and user_activation_key.
Notice: Yes, am really I, 0KaL. No, I didn't changed my ideology (about Windows and Havij). The use of them was just to make the reader to can better understand what I'm showing (agree that would not be very easy and intuitive to understand to see a lot of strings concatenated and a hellish URL in the image).
Now I'll explain: when we use the "Forgot password", it is generated a token and saved in the users table, in the "user_activation_key" column, for the verification of the user's email. A link is sent for the administrator email and, in that link, we have, via GET method, the user login and the token. Our mission is, without having access to the administrator email, rebuild that link and access it.
Firstly, we will click in "Lost your password?", below the login formulary.
We will fill up the user login, that we got in the users' table. Because of a plugin installed on this example site, we have also to fill up a basic math question, as a captcha. Then, click in Get New Password.
Done, the token is generated and saved in the database. We will now get again the data and copy the value of the column user_activation_key.
Then, we will use the following model in order to create the URL:
Código:
http://[SITE]/wp-login.php?action=rp&key=[ACTIVATION KEY]&login=[LOGIN]
Código:
http://automateitapp.com/wp-login.php?action=rp&key=WcshCwwcUrEdnvnenD8C&login=wordpress_admin
Choice the password that you want. Yes, it's serious. After it, we receive, happily, the message telling us that the password was changed successfully.
It matters to know now that the administrator is noticed, via email, about the password changing. So, if he has some device (like a cellphone) synchronized with the emails, he will know immediately that he's being hacked. It brings a kind of fight not so good to see, where both are trying to change the password lastly (like a poors' fight).
If you received that email (and you're the administrator), run to the FTP client and create a file named ".htaccess" in the "wp-admin" directory, with the following content:
So, you will be blocking any access to the administration panel temporarily. Fix up the vulnerabilities on your website and change your login data.
Código:
Order Allow,Deny Deny from All
By clicking in the "Log In" link, we're led to the administration panel. In here we already can login with the username that we obtained in the "user_login" column from the "wp_users" table in the MySQL, and the password that we just chose.
Owned.
(By 0KaL)
