Bro is legit hacking a wordpress website. i rarely see someone actually hacking and not giving a 3 minute example with a vulnerable made website in 10 mins :D Good stuff
well I think that depends on motive. If you want to cover your tracks, sure that makes sense. But if you did this as bounty hunting then better leave it changed so you can claim the bounty :)
Once you got into the db you couldve literally just changed the account to an admin, or just change the admins password. no need for hashcat at that point
@@TechRaj156depends on the objective. Many times people use the same email and password on other sites so if you crack the leaked hashes, the same credentials could be attempting on the other sites.
If you don't know, when your website has SSL certificate (non self sign) and your host has the worst firewall sql injections are blocked and you can't do nothing.🙃
What a lot of “devs” tend to overlook is the main selling point of Wordpress is it’s a cms and easily updated/managed by non-technical clients, one of the reasons why it’s still so popular,…sure, static sites are faster and more secure but how does a non-techie update them? They’re definitely not going to be uploading markdown files to a server for example, another option would be to go headless but then you have to configure a headless cms to manage it…more development time…or u could just install Wordpress and it’s pretty much good to go out of the box
As someone who has limited knowledge on web hosting I've used Wordpress a lot in the past. The idea that it's this simple to get a list of all usernames and hack into the website is quite interesting. I really appreciate you uploading this. Subbed.
Luckily, it's not always this "easy" and more often than not, you or webhosts will protect most of this information and prohibit unauthorized access to the subdirectories containing this information. On the other hand, there's a LOT of unprotected sites, servers and services out there kinda just up for grabs for more simple attacks like this. Video is great and shows how "easy" it is if you don't do bare minimal security and protection and hopefully it will open the eyes of some. Especially in this time where more and more severe vulnerabilities are discovered.
I havent thought I will watch the full video.. But suddenly you finished your task 🫥😂👌 Great explanation in general, enough to keep up following the process logically. Surely I personally would have asked more about certain tools and useage, but for this case 10/10.
This is one of the reasons i always make my own hash and salting algorithms; and also a reason that i prefer making the software i'm using myself, despite how much work is needed.
I may sound like a simpleton and compared to you I am but since you say you are trying to help people protect themselves, as a Wordpress user, what would be your most valuable tips to give, this video is too advanced for most people, but if you could give a list of say, the 10 or 20 most valuable techniques to protect yourself from most common attacks, or something like that...If you have time and feel like it... Subscribed, very informative, thanks!
Sure here's 3 big ones: - Keep your WordPress, themes and plugins up to date - Don't use the default username and have a strong password - Don't use pirates/nulled or crappy plugins
There’s a lot of free security plugins like WP Security that blocks some of the different attack steps. A strong password and everything updated is most important, but if you also change everything that’s default like the login link and so on you don’t look like the low hanging fruit I guess. 😂
Appreciated. Hacking WP is possible as long as it goes with the default installation. The typical setup is to restrict those sensitive URLs to dedicated IP like using your own VPN. Also need to update all plugins and themes on a regular basis and use security plugins like fail-to-ban, and you’re all set. For the password tips, it’s better to set 48+ characters with complexity and reCAPTCHA is supported for the login as an additional protection. Love to see next video with updated WP version as well🎉
There is just no way you could find a suid binary that gives you a shell if you set an env variable to 1, it feels like those movies where someone hides the keys of his house in a really obvious spot. But still the video is greatt for educational purposes, it was fun watching it and knowing about the tools that let you do this kindof stuff
Newbie question: How much of this is possible in general on the latest WP version and with WP security or any other similar security plugin? Security plugins can block user enumeration, IP number after wrong username/password. They also change default settings like the login URL. Of course no backup of important files are stored on the server. Also add the fact that a lot of hosting companies block sites in shared hosting if they don’t keep their sites updated. Combining a security plugin with everything updated and using a long and strong password (not with English words in it!) maybe is the best way to avoid being the low hanging fruit for all script kiddies? 🤔
Moral of the story is that: don't use software based websites, just use coded websites because we developer code very hard to apply bunch of security layers....
This was very interesting, and your explanation was also very instructive. I understood the steps you took to overcome each difficulty you encountered. Thank you, because now I know what to study before becoming a cybersecurity analyst.
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
@@digitzero3613 no, he can change the WordPress admin account password, no restriction can be put in a MySQL user to prevent changing the data of a specific row of a table, MySQL user can only be restricted from updating the entire database. Beside the user mentioned in wp-config is the one that creates all the table in the place, that's the only db user WordPress know and that's the only user WordPress will use to update the password when the admin user chooses to change the password from WordPress's dashboard
@@1brokkolibaum No, if they have plugin like wordfence, any shell upload will trigger an email. so anyway this hack is possible with noob setup wordpress.
If you already have access to the server, you should install the WP CLI, then create a new admin user or change the password of any user (of course I don't want to leave any traces so I'll make a new user, then get what I need and delete all traces).
He can also update the wp-login.php file to log the password in plain text file and after logging either an email can be sent using wp_mail or an api endpoint of his own server can be called with the logged credentials, so whenever someone logs in again with the same user he gets a notification.
Once you got access to the db, why didn't you just change the password? All you need to do is clear the hash, type in the new password and hash it and boom you've got access to any user. I do this all the time whenever I loose a password for a site.
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
Well if you got access the the second user, then when you got access to the wp_user table, you could have updated the first user encrypted password with the second user encrypted password and then access the admin user with the second user password...
@TechRaj156 yeah I do understand for sure, but wordpress password encryption is based on the codes available in the config.php file which you accessed at the begining, so the password you generated at the website would not work in newer versions unless you create password on same keys in config or the easier path is to switch passwords or switch role to admin for the user account.. but still, you have done qn awesome work 👌
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
Everything else was realistic except the Linux privilege escalation part. Like what's the probability of finding something like this checker binary file which sets the uid to 0.
I guess 98% of youtube tutorial about how to make money using this or that tool (like kali hacking) have a catch. If you discover and post in comment, it probably will be deleted by owner (in order to sell his course).
this was impressive but how did u know which algorithm you need to use? I mean its way easy to check this whith a small google search but what is if not. I miss the part where it was checked in the video :)
Yes it would, bruteforcing an account is unlikely on most Wordpress websites, as the passwords for new accounts are automatically generated and it discourages users from creating unsafe passwords
It still shocks me that wordpress has features to protect you against brute force and telling you if you have the correct username but incorrect password, but you have to manually configure and turn them on, and most of the people who use wordpress use it because its simple to use to make a website and you dont need any coding knowledge so they dont know about these extremely important features... it should be default
Very good and detailed tutorial, thank you very much! However, I don't see the reason why you absolutely have to be root on the server. As soon as you have access to the database, you can change the password or even create a new user :)
@@qwaszx2 No decent website worth hacking for bug bounties uses wordpress anyways. CMSs like wordpress are generally only used for personal blogs of no name individuals or companies.
Nice video. But, since you already gained access to the database, it's as good as being an admin on the website since you can modify everything but it's gonna be more difficult!
I lost faith in you completely at 18:00 You don't need to guess the password if you already have database access. You can just set the admin password to whatever you want, or even better, you can just create a php file like a.php that gets the first admin user and creates a logged in session for you, without even having to update the admin password at all. It's super easy just by using the WordPress methods on the docs.
Getting This Error { "code": "rest_user_cannot_view", "message": "Sorry, you are not allowed to list users.", "data": { "status": 401 } } is there any othere way to list users ?
Short answer yes. Long answer depends on your configuration, there are many ways that can be blocked by cloudflare rules. For example you may block a url to be accessible from your static IP only. And keep in mind that cloudflare is not a firewall.
Bro is legit hacking a wordpress website. i rarely see someone actually hacking and not giving a 3 minute example with a vulnerable made website in 10 mins :D Good stuff
its tryhackme website... sorry to disappoint you
Guys I’m 89% sure he can center a div
glazing, I'd say about 60% give or take
@@koniply 3, wont get lower
I'm 100% sure nobody can center a div without Googling it...
My Div
@@DeepThinker193not the right way
Pro tip,
Keep the old password hash so that you change it back when you are done
😎💀
thanks black collar stuff
well I think that depends on motive. If you want to cover your tracks, sure that makes sense. But if you did this as bounty hunting then better leave it changed so you can claim the bounty :)
Is there a way to uncover a hash password?
great collar and knife man
Once you got into the db you couldve literally just changed the account to an admin, or just change the admins password. no need for hashcat at that point
True. But I was also trying to escalate privileges on the machine and not just get admin on the blog. But I agree the hashcat part was unnecessary.
@@TechRaj156
Perfect
@@TechRaj156depends on the objective. Many times people use the same email and password on other sites so if you crack the leaked hashes, the same credentials could be attempting on the other sites.
@@TechRaj156 ltrace however is not installed by default on all distros
Was just about to comment the same thing 😛😂
Lesson learned: Just use static html ! =))
static is the best anyways for blogs and basic websites.
If you don't know, when your website has SSL certificate (non self sign) and your host has the worst firewall sql injections are blocked and you can't do nothing.🙃
Actually 70%+ of Wordpress sites could move to something like Hugo and have the same webpage functionality.
other the tool "simply static"
What a lot of “devs” tend to overlook is the main selling point of Wordpress is it’s a cms and easily updated/managed by non-technical clients, one of the reasons why it’s still so popular,…sure, static sites are faster and more secure but how does a non-techie update them? They’re definitely not going to be uploading markdown files to a server for example, another option would be to go headless but then you have to configure a headless cms to manage it…more development time…or u could just install Wordpress and it’s pretty much good to go out of the box
"billy" joel and karen "wheeler" - hmm "strange things" happening
As someone who has limited knowledge on web hosting I've used Wordpress a lot in the past. The idea that it's this simple to get a list of all usernames and hack into the website is quite interesting. I really appreciate you uploading this. Subbed.
always keep your stuff up to date
Luckily, it's not always this "easy" and more often than not, you or webhosts will protect most of this information and prohibit unauthorized access to the subdirectories containing this information. On the other hand, there's a LOT of unprotected sites, servers and services out there kinda just up for grabs for more simple attacks like this.
Video is great and shows how "easy" it is if you don't do bare minimal security and protection and hopefully it will open the eyes of some. Especially in this time where more and more severe vulnerabilities are discovered.
One thing to also note, you can check previous CVE's using some google dorking to refine your results. CVEDetails is a pretty good place to look also.
@@elfmatw you explained it exactly how it is
I havent thought I will watch the full video.. But suddenly you finished your task 🫥😂👌
Great explanation in general, enough to keep up following the process logically. Surely I personally would have asked more about certain tools and useage, but for this case 10/10.
This is one of the reasons i always make my own hash and salting algorithms; and also a reason that i prefer making the software i'm using myself, despite how much work is needed.
I may sound like a simpleton and compared to you I am but since you say you are trying to help people protect themselves, as a Wordpress user, what would be your most valuable tips to give, this video is too advanced for most people, but if you could give a list of say, the 10 or 20 most valuable techniques to protect yourself from most common attacks, or something like that...If you have time and feel like it... Subscribed, very informative, thanks!
Sure here's 3 big ones:
- Keep your WordPress, themes and plugins up to date
- Don't use the default username and have a strong password
- Don't use pirates/nulled or crappy plugins
There’s a lot of free security plugins like WP Security that blocks some of the different attack steps. A strong password and everything updated is most important, but if you also change everything that’s default like the login link and so on you don’t look like the low hanging fruit I guess. 😂
Appreciated.
Hacking WP is possible as long as it goes with the default installation. The typical setup is to restrict those sensitive URLs to dedicated IP like using your own VPN. Also need to update all plugins and themes on a regular basis and use security plugins like fail-to-ban, and you’re all set. For the password tips, it’s better to set 48+ characters with complexity and reCAPTCHA is supported for the login as an additional protection.
Love to see next video with updated WP version as well🎉
I am using 2 factor authentification, do you think it's ok too ?
@@ballfoot2460 yeah and make sure all plugins and themes are updated and remove unused ones.
I don't think there's something like that in the wild. That `checker` thing is so unlikely. But great video nevertheless.
There is just no way you could find a suid binary that gives you a shell if you set an env variable to 1, it feels like those movies where someone hides the keys of his house in a really obvious spot. But still the video is greatt for educational purposes, it was fun watching it and knowing about the tools that let you do this kindof stuff
Obviously. This is a setup hack challenge so you know there's some vector you need to find.
This is why you need a plugin like wordfence and perma ban ips that request more then 5 failed login attempts
lol this was very fun to watch! Always loved your fresh content!
I watched the full video just to know how to protect my wordpress site, Thanks
how is it? i am trying to protect too
@@dearestdi just use security plugins to block backdoor entry
This will never happen with any real website.
why not?
BTW, the password value in Wordpress DB is just an MD5 hash. You can create the hash right in terminal.
There's no fucking way... MD5? Srsly? Do they want the passwords cracked?
@@ZircuitzYep. They're begging to be cracked😂😂
How easy and satisfying it looks but when you deep dive in it's heeelllll a lot more than thatttt! It's like pain in the az!
Even getting access to read DB is a big vulnerability.
I hope my hosting provider has something to prevent this app.
This is horrifying..
Newbie question:
How much of this is possible in general on the latest WP version and with WP security or any other similar security plugin?
Security plugins can block user enumeration, IP number after wrong username/password. They also change default settings like the login URL. Of course no backup of important files are stored on the server. Also add the fact that a lot of hosting companies block sites in shared hosting if they don’t keep their sites updated.
Combining a security plugin with everything updated and using a long and strong password (not with English words in it!) maybe is the best way to avoid being the low hanging fruit for all script kiddies? 🤔
the reality is, you will need to find / create an exploit yourself.
Moral of the story is that: don't use software based websites, just use coded websites because we developer code very hard to apply bunch of security layers....
This was very interesting, and your explanation was also very instructive. I understood the steps you took to overcome each difficulty you encountered. Thank you, because now I know what to study before becoming a cybersecurity analyst.
You just need a free security plugin like Solid Security and hacker will not even be able to see your usernames
Not a real hacking in real time btw ! @Tech Raj.
This was pre-setup for the video
Simply amazing... got to know many things about the insights of how some things work!
dear at 20:06 you have database access you can just create new admin user in database
But the goal could also have been to stay hidden for further investigation, so a new user would rise way more suspicion. 🤷♂😁
Moreover the password recovered from wordpress site can also be used in emails or at other places, including the sudo user in the bash
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
@@digitzero3613 no, he can change the WordPress admin account password, no restriction can be put in a MySQL user to prevent changing the data of a specific row of a table, MySQL user can only be restricted from updating the entire database.
Beside the user mentioned in wp-config is the one that creates all the table in the place, that's the only db user WordPress know and that's the only user WordPress will use to update the password when the admin user chooses to change the password from WordPress's dashboard
@@1brokkolibaum No, if they have plugin like wordfence, any shell upload will trigger an email. so anyway this hack is possible with noob setup wordpress.
Great video! Thanks for the detailed explanation.
This is great.
How can I get a step by step tutorial and tools used. I'll like to try this on some of my WordPress accounts
If you already have access to the server, you should install the WP CLI, then create a new admin user or change the password of any user (of course I don't want to leave any traces so I'll make a new user, then get what I need and delete all traces).
He can also update the wp-login.php file to log the password in plain text file and after logging either an email can be sent using wp_mail or an api endpoint of his own server can be called with the logged credentials, so whenever someone logs in again with the same user he gets a notification.
Nice video. Thanks for sharing your knowledge.
what stopped you from just changing the hash once u had database access?
Lack of experience.
@@qwerty-p5m1f 😂😂😂😂
Once you got access to the db, why didn't you just change the password?
All you need to do is clear the hash, type in the new password and hash it and boom you've got access to any user. I do this all the time whenever I loose a password for a site.
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
@@digitzero3613 No , in wordpress, db_config user has all permissions. so yes he can change the pass.
Well if you got access the the second user, then when you got access to the wp_user table, you could have updated the first user encrypted password with the second user encrypted password and then access the admin user with the second user password...
That would be a smart move! But I was also trying to root the whole machine and not just get admin rights on the blog.
@TechRaj156 yeah I do understand for sure, but wordpress password encryption is based on the codes available in the config.php file which you accessed at the begining, so the password you generated at the website would not work in newer versions unless you create password on same keys in config or the easier path is to switch passwords or switch role to admin for the user account.. but still, you have done qn awesome work 👌
He got access to "wordpressuser" database account. It most probably doesn't have administrator access so can't really change admin password and can't create a new account either.
why didnt you use sudo -l when you were trying to root?
Everything else was realistic except the Linux privilege escalation part. Like what's the probability of finding something like this checker binary file which sets the uid to 0.
I guess 98% of youtube tutorial about how to make money using this or that tool (like kali hacking) have a catch. If you discover and post in comment, it probably will be deleted by owner (in order to sell his course).
@@Developer_BR bro... its a tryhackme challenge ofc its gonna have SOME unrealistic part to it 💀
this was impressive but how did u know which algorithm you need to use? I mean its way easy to check this whith a small google search but what is if not. I miss the part where it was checked in the video :)
Wouldn't most of these attack surfaces be shut down with simple too many requests protection?
Yes it would, bruteforcing an account is unlikely on most Wordpress websites, as the passwords for new accounts are automatically generated and it discourages users from creating unsafe passwords
It's so easy for you to raise power. I can't use any orders when I'm raising power😂😂
Great lesson bro thank you. nice process keep it up with this kind of videos
do you provide private classes
It still shocks me that wordpress has features to protect you against brute force and telling you if you have the correct username but incorrect password, but you have to manually configure and turn them on, and most of the people who use wordpress use it because its simple to use to make a website and you dont need any coding knowledge so they dont know about these extremely important features... it should be default
If you have admin access to database, you can just change the hashed password no?
Do you have to be a root user to change values in a db? Just curious because then the other steps are not necessary
You're right. He could have get WordPress administration access by changing the password hash the first time he got access to the database.
You earned a new sub, I'm a reverse engineer and have little knowledge to pentesting. You make it really interesting and clear!
What is the name of the software you write the code for? I haven't been able to find it
Very good and detailed tutorial, thank you very much!
However, I don't see the reason why you absolutely have to be root on the server.
As soon as you have access to the database, you can change the password or even create a new user :)
Try in latest version of WordPress.
The latest version of WP breaks all themes so nobody updates. :P
@@qwaszx2 i updated latest version of my wordpress 6.4 or something. My site is working fine
@@qwaszx2 No decent website worth hacking for bug bounties uses wordpress anyways. CMSs like wordpress are generally only used for personal blogs of no name individuals or companies.
@@qwaszx2Lol that's why you use a good theme.
@@qwaszx2what are you even talking about? there’s absolutely no issue with themes in the latest version of wordpress
I am wondering what would have you done if the the kwheel's password was not crackable ?
That's is why a CMS should not be the Frontend of it self.
whose text editor is use for this
any one guide please
i have a question, i see full video, how can i save my word-press website , could you possible suggest any free plugin ?
You do not quit youtube
Good job, but any wordpress dev worth their salt would have blocked user and directory enumeration.
Nice video. But, since you already gained access to the database, it's as good as being an admin on the website since you can modify everything but it's gonna be more difficult!
Are u using a window manager or is it a kali theme
It looks like Kali
Thank you for video. I will follow your videos
I lost faith in you completely at 18:00
You don't need to guess the password if you already have database access. You can just set the admin password to whatever you want, or even better, you can just create a php file like a.php that gets the first admin user and creates a logged in session for you, without even having to update the admin password at all. It's super easy just by using the WordPress methods on the docs.
Another option is to add a function into functions.php file to create a new user in the DB with admin privileges leaving the original admin untouched
this seems much easier to do. How do you access my websites functions.php thou thought logging into my server?
I'm new at hacking, but couldn't you use sudo to get root?
restrict/disabled the all API's endpoint
"ignore those warnings, i'm going to fix them later" them metasploit warnings are never getting fixed are they? XD
Tips:
Always use webflow
no devs are gonna leave those sort of bins for your the sake of your privilege escalation, but sure, nice video before that.
Wow this is so easy let's hack all WordPress websites
19:00 php ass 😂😂😂😂
Can you guide what's the procedure to manually enumerate to find the user id? coz this method did not work
google it 👏
Hi, please where can I get fuzz word lists?
But you never showed what the original password was for bjoel. So you didn't complete the hack.
Peak scriptkiddie content
Tutorial how to set up terminal that you're using
Bro do u have any complete hacking course😒
It so willingly reveals everything
What’s that JSON viewer?
does wp-login only accept 7 times password guessing tries?
I tried it and I can get unlimited tries.
Depends on plugins, WAF
Imagine password is out of dictionary. What's next? Failed attempt?
Interesting! Thanks.
Amazed by your skills thank you
wpscan gives various vulnerabilities available in different plugins of the websites but can't find poc of them. Please guide
Did you find any resources for these issues. I am also facing the same problem
This kind of videos we need keep making this kind of videos
I only know the url of my website. Now I want to get the password. Can you please assist?
Nice but can you get cpanel also?
How to protect from this?
I'm afraid of hiring you for security services 😨😨😨😨
Please tell me the checker binary has been put there by yourself ;-) lol
But if another creator does this. There's a possibility youtube takes the video down.
Good video though
Please show us how to null a plugin. Example tablesome plugin
try doing this with a security plugin installed and active
Great video, but what was your next step gonna be if xmlrpc was disabled?
Getting This Error
{
"code": "rest_user_cannot_view",
"message": "Sorry, you are not allowed to list users.",
"data": {
"status": 401
}
}
is there any othere way to list users ?
when I run the attack on my site it says that it receive unown response code 405
I'm a WordPress developer, seeing all this makes me 😢
Lol
its common password attack they would never crack random passwords
Can it work if the wp site is tunneled to Cloudflare?
Short answer yes.
Long answer depends on your configuration, there are many ways that can be blocked by cloudflare rules. For example you may block a url to be accessible from your static IP only.
And keep in mind that cloudflare is not a firewall.
@@firedeveloper cloudflare is a waf.. So it is a firewall... Web application firewall
wow, I will never use wordpress again lol
How can i secure wordpress the best to avoid this?
what if there is no xmlrpc?
Bad luck. You need to find an other vector.
Fun fact: buy SSL
This will never work in reality :)))
Great Video 👌🏻
When you have database access, just add a new user to db as user type admin and you can get the admin access.😅