Hacking Wordpress
June 10th, 2007 | by tk2 |Honestly, I’m not a bad guy. But when it comes to security issues, I think it’s better for me to share my knowledge. This time I’ll show you how a user with author rights will be able to get the admin privilege in Wordpress powered blog. I’m not calling this hacking as it’s more to social engineering.
First, let me create a situation. Imagine there’s a blog called BLOGY and the admin has selected a guy to be his blog’s author, let’s call him tk3. This really happens in real life when blog owners don’t have enough time to write articles so they let other people write in their blog. As a reward, the authors will get some amount of money, or they can put their adsense ads together with their post.
So one day, tk3 wrote a post about how to make money online. It looks something like this:
Notice that he provides a link at the end of the article. The link actually goes to a html file that he uploaded earlier.
So what’s inside the html file?
Take a look at the codes in blue. It checks the user’s cookies. If the viewer’s is the admin, it will redirect to a cookie stealer. But for normal user, the page will just look something like this:
Simple yet useful information! The admin fall into tk3’s trap and clicked on the link. His cookie was stolen and it’s just a matter of time till tk3 check his cookie jar. It was a bad hair day for the admin because after a few minutes tk3 opened his cookie jar and proceed to the next step.
He then changed his cookie to the stolen cookie.
The final step is to visit again BLOGY and guess what?
Moral of the story, never never and never trust anybody in the internet. Just a single click and the whole thing turns to disaster. You may think that this method is too complicated, n00bish and not practical in the real life. But the point here is it can be done.
Actually there’s a better way to XSSing the admin. The vulnerability was found more than 2 weeks ago but we haven’t received any news or feedback from the Wordpress team. Are they not listening or just waiting for the next version to patch the bug?
4 Responses to “Hacking Wordpress”
By kucau on Jun 13, 2007 | Reply
ermm , interesting method. can i co blog on your site. hahaha
By Bat on Jun 16, 2007 | Reply
Damn good..Thanks for the info bro..I found it useful since my blog have different authors. But I do believe in them, although trust is the human weakest links right?
By lukxiufung on Jun 22, 2007 | Reply
Bat: i agreed with you “trust is the human weakest links right” and this encourage so many crime around us.
Thanks for sharing