How to hack a wordpress site

Just as an example - how would one go to hack a wordpress site.


  • You go to the site you want to hack, use a siffer to find the framework the site was built with, I use a chrome plugin for this task (Wappalyzer).
  • Now that we know we stand before a wordpress site, we need to find the login page, for that we will begin with a google search to find the "default wordpress login url" (http://example.com/wp-admin or http://example.com/wp-login.php)
  • If the site owner was clever (be clever!) and changed the default url for the login, we will use a tool like DirBuster (unix only?) to crawl the site in order to find all urls (from them you will recognize the login url)
  • Now that we have the login page we will want to attempt to brute force our way in, but a bruteforce where we try to guess the username AND the password is hopeless as the number of tries is HUGE, so we will try to find the username. In wordpress there is a "feature" called author enumeration where each author has his numeric ID, so just go to the blog's url and add the following to the url "/?author=1" which will show you all of the posts of the first author (probably the administrator), you can keep going with the nubmers in order to find all authors, so in our case we will run the following url: "http://example.com/?author=1", now we have the author = main user name!
  • As we now have the main username, the bruteforce becomes much simpler, we need to guess only the password! So we need a list of passwords, go online and download a good list of passwords.
  • You can also create your own list by using a tool called Crunch to create a file containing a list of passwords. For example if you know that the password is four characters long, and doesn't contain capital letters then you can just create a file with all possible combinations of lower cased letters and numbers using crunch (apparently 71mb of combinations, I used the following command to check this one out: "crunch 1 4 -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o wordlist.txt" (1 to 4 long passwords, containing characater sets from a file, defining mixalpha numeric as all alpha characters and numbers, outputting the result to a file).
  • For the last stage we will use a tool which will use the username and the list of passwords in order to bruteforce its way into the login page, Hydra is a good candidate for that (xHydra for a gui in unix), the way it works is you give it the login url, the username and password html handlers (IDs), then you supply the username (admin?), and the list of paswords, the last component it needs is the response the page sends when the user fails to login, that way it will continue trying untill it doesn't get that response, an exapmle command will look like: 
    • hydra -l admin -p passwords.txt -t 7 (threads) -m /wp-login.php:user_login=^USER^&user_pass=^PASS^:failed login (failure message) www.example.com http-post-form (POST method) -- All of the prenthesis are my "comments"
  • That's it, with an admin username and password the wordpress site is yours for the taking
  • The downside of bruteforce attacking is that it is going over network, so it is slow, which means that you can't try using lists which are too large (if you are cracking local passwords which are not over network then you can use huge lists, but over network it won't work, it will take months...), so if you don't manage to hack a site using the slim password lists then you must revert to an other way of hacking the site
  • Another problem you might encounter is if the site owner was smart (be smart!) he can eliminate all bruteforce attacks by using a simple plugin which identifies bruteforce attacks and locks your IP, in this case you also need to revert to an other method of hacking
  • If you must try other methods, then I would go for exploiting site vulnerabilities
    • Scan the WP site with WPScan

Comments

Post a Comment

Popular posts from this blog

Profiling Java @ 2019

A good profiler can really help you in your work while coding Java (I assume while coding any coding language but I am referring to Java here) It can find memory leaks (Which object and how many of it takes the most of your limited memory?), CPU bottlenecks and other surprising data like the time consumed by each network call / DB query etc. Thus it is not so surprising to find many different java profilers around. I will try to map here the Java profiling tools lying around My short list of requirements will include the following: Profiler Requirements Constantly updated profiler (how a profiler built to profile Java6 will behave with Java11?) Clear GUI - As I will want to dive into the profiling data - it will be much simpler using UI Free (With a big advantage to the open sourced ones) (Optional) Remote profiling List of Profilers Dead Profilers (At least 5 years without an update) JIP - Java Interactive Profiler  - Last update 2010 Profiler4J - Last Updat
Read more

Shared/Pro/Managed Hosting for your site - which to choose ? (NO AFFILIATE LINKS!)

 You buy a domain and want to start your site running, time to find your perfect hosting. This is one of our first steps, and might be your most crucial one. I won't tell you which hosting company to choose, I will attempt just to clarify the picture. What are your Hosting options ? Shared Hosting You can choose shared hosting - obviously this one will be the cheapest option. In this category you might even find free hosting options, with or without ads on your site. Although this option sounds great for beginners as it is cheap and is comes with many promises from the hosting company (unlimited bandwidth, unlimited disk space etc.), there are no free meals, and as you are not alone on this server ( shared hosting), you don't really know who your neighbors are. So nothing is guaranteed, you might have a neighbor which takes lots of bandwidth, so you will actually have less to use etc. You might have a malicious neighbor which will attempt to hack your site using the common host
Read more

ZVR converter

Yesterday, a friend asked me to find him a ZVR sound file converter. What's the problem? I asked... Give me 5 minutes and i'll google it out. Well, I was wrong, finding a decent converter isn't an easy task, it took me at least 7 minutes (kidding). What's a ZVR file? It's a dictation recorder output file, used by the korean SAFA company, their recording machine is used mainly to capture sound files using its microphone during class lessons or whenever one wants. I just don't get it, why each company comes up with its own sound format?  grab a good and free existing audio format and stick to it! The ZVR files are very small hence their low quality... Anyway, a nice ZVR to WAV file converter was found. It's an incredibly small file (140kb). Download ZVR sound file converter  Enjoy, Avi.
Read more