How Hackers login to any websites without password?! WordPress hacking

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I'll be teaching you how the hack WordPress WordPress is a Content management system that allows you to very quickly be able to set up a website across the internet and have your different modules Pages posts that you can create across the internet basically it's a system that allows you to host websites and if you do a quick search on how many websites run in WordPress you can see right here there are 1.98 billion total websites on the web more than 835 million of the sites use WordPress so yes I'll teach you how to do penetration testing on WordPress sites now before we get started kids remember hacking is illegal if you want to hack remember to ask your mom for permission first and if you get caught hacking do not tell them you know who's Mr hecko so when it comes to the architecture of things we first have a Target website that we're going after so it could be internal facing or it could also be facing the internet it doesn't matter as long as is running on WordPress we are able to Target it next up we have your BFF Mr hecko who can be targeting the site running different type of hacking techniques they're specific against the WordPress site one typically we want to enumerate different part of the pages for example we could be looking for admin Pages we could be looking for wp- Content looking for plugins and so on and once we have all of this details what we can do now is to go ahead and search up the specific version of all of these different plugins as as WordPress itself to look for exploits that we can use to directly Target and break into the site and for today's case we'll be doing SQL injection attack as Well's ability to take complete control of the entire site so watch to the end so right in front of us we have WordPress running so this is a website it could be a website from the internet it could be a website that you're hosting and testing it all or it could be just another internal system that you could be targeting so the first thing we want to do is to look for the WordPress version so what you can do is you can go to the site itself do a right click and click onto view page source and from there you can go ahead and enter WordPress space and see if you could find a specific version of it so in this case if you zoom in a little more you can see right here that we have a specific version so in this case we have the following of Wordpress 5.3 the other two options also look for JavaScript as well as CSS file that could be indicating of its version so what I can do now is go ahead and search in the page for JS question mark version equal so in this case you can see right here we have the following of version 5.3 and the other one for CSS file you can see right here too we have the CSS question mark version equal 5.3 and with that we can go over into a service like search sploit to look up for word press 5.3 and see what we get as a result from it so search exploit is a way for us to look for those available exploits that we could use as part of targeting the site so in this case you can see the following of Wordpress so typically we're seeing plug-in we could also see core user disclosure and all this different information that we can quickly use as part of targeting the site because it's been unpatched the other page is really big is wp/ plugins hit en on this and right now you do not see any listing of all those plugins that's a available against the site however what we can do now is to use a trick to test whether the plugin exists by entering the plugin itself into the URI for example over here I have WP file upload I clicked on it and you can see right here it states forbidden you don't have permission to access this resource however if I wants to go ahead and enter wp- file- upload 2 which is not a plugin I hit enter on that it states the FL the requested URL was not file on This Server so what does it mean it means that there isn't such a plugin installed the other example is here as well in the blue P Advan sech I he enter on this so once again it says the following of forbidden you don't have permission to access these resource however if I was to change it up to some other plugin name so say for example hacker Loy plugin I hit enter and then not found there Ison such a URL so what we can do now is start targeting all these different common plugins as well as pages so that we can identify the structure of the site so what I can do here is use a tool like dir Buster to be able to help us Target the site all you going to do is go back over into the site copy the URL copy on that paste it over here and we have the number of threats and all this information what's most important is the file with list of directories of fils so go ahead and click browse and with that we can go over into USR let's hit back over into root into USR share followed by word list hit enter on that and we have di Buster clicked on that and we can use something like a directory list small so all this are already available out of the box with K Linux double clicked on that and we can go ahead and click Start and we'll be trying to find out all this different parts of the site that has all these Pages plugins and so on and as we're running the attack you can see the list view directories we have info.php which is very juicy information with have wp-content index.php teams uploads WP login and so on so all this are critical information for us is part of enumerating the site and with the I can hit over into say slin PHP heit enter on that and boom this gives us incredibly important information like the PHP version and as we scroll down further we can see all these different details that can help us Target the site more tightly now the even better part is we have specific tools that we can use to Target WordPress site and it's called the blp scan and all I going to do is enter the blp scan -- URL followed by the Target site and that's all and once you're ready go ahead and hit Anor on that and we'll begin scanning the site looking up for all this different information that we were trying to do earlier but more specifically targeted to which WordPress and we get really good information so if I scroll all the way back to the top trying to understand the findings so we have interesting findings here so we have the server apy PHP we have XML RPC that's enabled that we can Target we have the WordPress R me file we have the W chrone and so on so all this are the different identification of the version different identification of possibly plugins on the site like for example for example with social Warfare we have the wp advanc search and it's telling us that the version is out of date and we can Target them directly however there's something even better is that we can automatically use the wp scan API token that can help us match all this plugin versions to available exploits that we can use so say for example instead of me entering suchar SP for WP follow- upload I hit enter on this now results are ENT to say WP WordPress file upload all right trying to find for specific versions and so on so you can see here that I've already taken my API token I'm ready to hit the site so go ahead and hit enter on this and now we're scanning we're doing the same scan however we are saving precious time now by having the matching against those explo database automatically for those plugin versions for any other things on the WordPress site boom done the scan completed and we can scroll all the way back up again and as we're scrolling up we can see all this different information like WordPress file upload author plus start crossy scripting and so on so this helps us narrow down on the specific exploits that we can use so we can sand those malicious payload against the target site and for today I'll be teaching you thep Advan search unauthenticated SQL injection attack and we are at sploit this.com right here and we have the exploit for WP Advan search and we can see right here we have get WP content plugins and we targeting and cost out ink Auto completion and of course we have the following Q equal admin WP Auto suggest and this is the injection point so the great thing is if you saw from the earlier tutorial we could directly use SQL injection attack to Target this part of the site so what I do right here is to go ahead and enter burp Suite open this up launch it and what I can see right here is with burp Suite launching and we have the Community Edition go ahead and click next click Start burp and once we have that we'll be able to start the proxy and begin intercepting all of this requests so if I hit back over here I'll just go ahead and click onto the site we go on the proxy tab we have an example of the request I do a right click on this I send over the repeater and for repeater I have to change things up a little bit so I head back over to sploit this and what we want to do now is to change the get URI so in this case this is the one that will be using I can go ahead and copy this head back over into burp site or I'll go ahead and paste it over and you can see right here this is the example of the blue PE content and so on and so forth and what I can do is I can change this over to Star so that SQL map which is our automatic SQL injection tool can Target this part of the site in fact we can even test it right here so you can see the following of Aster and type equal a and e equal a I click Send on this it states the following you have an error in a SQL syntax check the manual the corresponds to your MySQL server and so on so you can see right here this this is an example of a vulnerability take it to the next level I've saved this into a file that we can then use SQL map our automatic SQL injection tool to Target the site to automatically pull out those information from the site you can see right here with SQL m-r WordPress SQL eye target heat ENT thr on this custom injection marker file yes we want to process it and boom it looks like the backend DMS is my squel do you want to skip task payloads yes for the remaining task do you want include all tasks enter yes for that and right now we are gaining access to the backend system we are in we've gotten through the vulnerability of the SQL injection attack and right here we're scanning we're running all this automatic queries and it makes dumping out the information as well as the database significantly easier to this automation there you go U primar one is vulnerable do you want to keep testing the others let's enter no for that and right here we can go to the advanced query functions of SQL map now we can enter the folling of-- DBS to look for all those available databases Ander process for it and you can see right here and with the following of five databases information schema my SQL performance schema sys and WordPress let's go ahead and Target the WordPress database now we switch things up a little with entering DD to Target the WordPress datab datase and we want to dump out all of those tables let's hit answer on that answer yes and right here we can see that all these are the different tables that we can go after we have 19 of those tables and let's go ahead and Target the blue pcore users and see what we get so right here we are targeting the blue P users table and we want to dump everything out of the table enter yes for that and right here we are gathering all of those information it even States the following do you want to store hashes to temp file for eventual processing enter no for that do you want to correct them via dictionary based a tech let try it keep answer on that comment suffixes enter no for this let's see whether we can get any hit for that and boom you can see right here we get a following we got the user admin and we got its password of admin 2o so heading back to the site I can go ahead enter / wp-login he enter on this because this is the default login page for WordPress enter admin admin click login and boom we're in we've gotten access into the site and heading over into the install plugins you can see right here of infinite WP client and this also has a significant critical vulnerability that we can Target and what's really cool right here we have the payload that we can use so we have the following of iwp action at site pams user admin so what we can do here now is to go ahead and encode this into base 64 and we're going to use this to send to a specific part of the site allowing us to gain administrative access to the site you can see right here I've locked out of the site and what I can do is I can go to the top right corner I click under say burp Suite to be our Interceptor I click onto the site again I go back to burp Street under the proxy tab what I can do now is go ahead and forward this and this may be the request okay let me just go ahead and click on it one more time and now we have interception so what I can do here now is to go ahead and Target this with the specific exploit against the plugin here right at the bottom we got a payload and what I can do is change the HTTP method and once you're ready go ahead and click forward go back over into the site right here you can see some things have changed up a little bit what I can do now is go to top right corner click under disable and I hit enter one more time onto the side and you can see right here top right corner we have now gotten administrative access even without the password I know this is is mind-blowing and with great power comes great responsibility so if you want to learn even more of this smash the like button turn on notification through the YouTube channel here so you can be kept AB breast whenever you got hacked sorry I mean whenever it is a new hacking tutar for you

Info

Channel: Loi Liang Yang

Views: 23,722

Rating: undefined out of 5

Keywords: hacker, hacking, cracker, cracking, kali linux, kali, metasploit, ethical hacking, ethical hacker, penetration testing, penetration tester, owasp

Id: 09puahSYN1M

Channel Id: undefined

Length: 13min 14sec (794 seconds)

Published: Fri Apr 12 2024