|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 38
Members: 0
Total: 38
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Wordpress Holes? |
|
Posted: Thu Oct 09, 2008 5:12 pm |
|
|
HanCholo |
Regular user |
|
|
Joined: Oct 09, 2008 |
Posts: 11 |
|
|
|
|
|
|
|
How does one go about obtaining the MD5 hash of a Wordpress password without administrative access? I am aware that Light Blue Touchpaper was compromised by someone who used Google to find the password from an MD5 hash. How would they get the hash to start with?
I know that Wordpress stores passwords as unsalted MD5 hashes in the user database. I am also aware that Wordpress users can change their password if they forgot it via the database as explained in this video:
http://www.youtube.com/watch?v=3SmndwrRkxw
If I have a Wordpress blog, how might someone get access to the user database or obtain the hash of my password without admin access? Is it true that the wp-users database can be accessed by anyone through a PHP or SQL browser? I also understand that Wordpress, even the most recent updates, is vulnerable to some forms of SQL injection. |
|
|
|
|
|
|
|
|
Posted: Thu Oct 09, 2008 6:14 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
To get admin hash(this is stupid in new version's) i don't need admin access.I need access to server where your blog is hosted.In new version's MD5 is salted.Salt is write in wp-config.php. |
|
|
|
|
Posted: Thu Oct 09, 2008 8:35 pm |
|
|
HanCholo |
Regular user |
|
|
Joined: Oct 09, 2008 |
Posts: 11 |
|
|
|
|
|
|
|
Access to the server? Does that mean that you can access the account remotely knowing only the IP address or URL?
If so, how might someone see the database? I imagine you need PHP software. Any recommendations? |
|
|
|
|
Posted: Fri Oct 10, 2008 8:10 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
HanCholo wrote: | Access to the server? Does that mean that you can access the account remotely knowing only the IP address or URL?
If so, how might someone see the database? I imagine you need PHP software. Any recommendations? |
In most cases this is not so easy how do you think.I need URL to investigate the server or hosting. |
|
|
|
|
Posted: Fri Oct 10, 2008 4:31 pm |
|
|
HanCholo |
Regular user |
|
|
Joined: Oct 09, 2008 |
Posts: 11 |
|
|
|
|
|
|
|
Okay, thanks!
To test the security of a Wordpress server, I recommend this blog:
http://wikipediaisevil.wordpress.com/
To look up the IP address of any link, I recommend visiting
http://cqcounter.com/whois/
...unless you have something better.
The blogger abandoned that blog, so it is probably an older version of Wordpress, no later than November 2006. (The blogger created a new Wordpress blog, but deleted it, so I am sure he does not care about this one.) |
|
|
|
|
Posted: Fri Oct 10, 2008 5:21 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
This is free wordpress hosting.Forget it dude. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|