How I Takeover Wordpress Admin fiiipay.my
Hello everyone, in this post im gonna show you how i takeover admin on cms wordpress and get bounty 😆.
- First of all is RECON, so i goto https://fiiipay.my and check what cms they use and i see they are using wordpress .
- Then i check admin page with adding “/wp-admin” after home url
- i got redirected to “/setup-config.php”
4. W00t?,, I click lets go and set new database configuration with remote my sql, https://www.freemysqlhosting.net/
5. After that i got redirect to “/wp-admin/install.php” and i set new user & password wordpress
6. Login to wordpress
After this, i reported this vulnerability to AntiHack,
- Nov 20, 2018 — Sent Report to AntiHack
- Nov 20, 2018 — AntiHack change status to New
- Dec 13, 2018 — AntiHack rewarded me $300 SGD
- Dec 28, 2018 — Bounty received