Monday, April 25, 2016

How to hack a wordpress site

Just as an example - how would one go to hack a wordpress site.

  • You go to the site you want to hack, use a siffer to find the framework the site was built with, I use a chrome plugin for this task (Wappalyzer).
  • Now that we know we stand before a wordpress site, we need to find the login page, for that we will begin with a google search to find the "default wordpress login url" ( or
  • If the site owner was clever (be clever!) and changed the default url for the login, we will use a tool like DirBuster (unix only?) to crawl the site in order to find all urls (from them you will recognize the login url)
  • Now that we have the login page we will want to attempt to brute force our way in, but a bruteforce where we try to guess the username AND the password is hopeless as the number of tries is HUGE, so we will try to find the username. In wordpress there is a "feature" called author enumeration where each author has his numeric ID, so just go to the blog's url and add the following to the url "/?author=1" which will show you all of the posts of the first author (probably the administrator), you can keep going with the nubmers in order to find all authors, so in our case we will run the following url: "", now we have the author = main user name!
  • As we now have the main username, the bruteforce becomes much simpler, we need to guess only the password! So we need a list of passwords, go online and download a good list of passwords.
  • You can also create your own list by using a tool called Crunch to create a file containing a list of passwords. For example if you know that the password is four characters long, and doesn't contain capital letters then you can just create a file with all possible combinations of lower cased letters and numbers using crunch (apparently 71mb of combinations, I used the following command to check this one out: "crunch 1 4 -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o wordlist.txt" (1 to 4 long passwords, containing characater sets from a file, defining mixalpha numeric as all alpha characters and numbers, outputting the result to a file).
  • For the last stage we will use a tool which will use the username and the list of passwords in order to bruteforce its way into the login page, Hydra is a good candidate for that (xHydra for a gui in unix), the way it works is you give it the login url, the username and password html handlers (IDs), then you supply the username (admin?), and the list of paswords, the last component it needs is the response the page sends when the user fails to login, that way it will continue trying untill it doesn't get that response, an exapmle command will look like: 
    • hydra -l admin -p passwords.txt -t 7 (threads) -m /wp-login.php:user_login=^USER^&user_pass=^PASS^:failed login (failure message) http-post-form (POST method) -- All of the prenthesis are my "comments"
  • That's it, with an admin username and password the wordpress site is yours for the taking
  • The downside of bruteforce attacking is that it is going over network, so it is slow, which means that you can't try using lists which are too large (if you are cracking local passwords which are not over network then you can use huge lists, but over network it won't work, it will take months...), so if you don't manage to hack a site using the slim password lists then you must revert to an other way of hacking the site
  • Another problem you might encounter is if the site owner was smart (be smart!) he can eliminate all bruteforce attacks by using a simple plugin which identifies bruteforce attacks and locks your IP, in this case you also need to revert to an other method of hacking
  • If you must try other methods, then I would go for exploiting site vulnerabilities
    • Scan the WP site with WPScan

No comments: