How I Takeover Wordpress Admin fiiipay.my


Hello everyone, in this post im gonna show you how i takeover admin on cms wordpress and get bounty 😆.

  1. First of all is RECON, so i goto https://fiiipay.my and check what cms they use and i see they are using wordpress .
  2. Then i check admin page with adding “/wp-admin” after home url
  3. i got redirected to “/setup-config.php”
w00t ?

4. W00t?,, I click lets go and set new database configuration with remote my sql, https://www.freemysqlhosting.net/

5. After that i got redirect to “/wp-admin/install.php” and i set new user & password wordpress

6. Login to wordpress

After this, i reported this vulnerability to AntiHack,

  • Nov 20, 2018 — Sent Report to AntiHack
  • Nov 20, 2018 — AntiHack change status to New
  • Dec 13, 2018 — AntiHack rewarded me $300 SGD
  • Dec 28, 2018 — Bounty received