I remember 09 years when WP exploded a password to reset the vulnerability, the use of the same now, but also I have just found that the internet has not been found to tell about this.
Premise: It is in the injection point (the injection point can be obtained by looking for plug-in vulnerabilities. ), the password cannot be unpacked and cannot be used in case of obtaining the shell in case of output.
This is actually not a loophole, is the combination can use it. Because WP's recover password system is also in effect for the administrator account, and the key sent to the mailbox is also saved in the database, so you can directly change the administrator password XD
The steps are as follows:
1) inject out wp-users table ID 1[may change, improvise] user_login or user_email; [In case of unknown admin background account]
2) Click on the wp-login.php to forget the password? [Lost password], if hidden or not can directly access the Wp-login.php?action=lostpassword page, enter the Administrator account or admin mailbox, click on? Get a new password?
3) again inject out the Wp-users table ID of 1 or the target value of User_activation_key.
4) Visit wp-login.php?action=rp&key=key&login=name
5) Replace the key with the injected User_activation_key value, replace the name with the Administrator account and access the page.
[Tip: There is a Russian program WordPress p&e can search the target WP station plug-ins, and indicate whether there are loopholes, but only 153 plug-ins, and then 1337 have a program can search Joomla and WP station dangerous plug-ins, is a PHP program, In the SourceForge, you can download one of them. Then there is the vulnerability of searching for the plugin on 1337,exploit-db,goole.]
-------
360 The problem with the competition is to examine this.
Take a little trick of WordPress station