WordPress 4.0, Direct Access To The MySQL Database
Recently I needed to gain access to a hacked WordPress installation. I didn’t have any usernames or passwords for the dashboard. Here’s a manual way that I used to create a user account, which sysadmins may find useful. Hang on; if you’re a hacker, stop reading, go have a shower (and a shave) and start a real relationship with an actual person; you might like it.
WP Users Table
Let’s begin by getting into the MySQL command line.
1 2 3 4 5 6 7 8 9 10 11 | $ ssh me@1.2.3.4 ... $ mysql -u me -p Enter password: ... mysql> use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> |
First, we need to add a user record to the wp_users table. By default, WordPress encodes the password so that they are safely stored away from prying eyes. The method that does that is in the WordPress core, and we could access and run our password through it, but that’s a lot of work, and I’m feeling lazy.
Instead, we’re going to rely on WordPress’ legacy support, and create an md5’ed password. WordPress will automatically scramble it up for us after login – yay! Using any PHP terminal, or an online editor, echo your password as an md5’ed string.
1 2 |
Make a note of the password you used! Now that you have your password string, we’ll add the row to the database table, wp_users. The values you need are as follows (I’m adding a user named support, with administrator privileges).
1 2 3 4 | INSERT INTO wp_users (user_login,user_pass,user_email,user_registered,display_name,user_nicename) VALUES ('support','0fd23718b64688a8f4e6c0576ce1f551','[email protected]','01-01-2014 00:00:01','support','support'); |
For the uninitiated, that query looks like this in the terminal.
1 2 | mysql> INSERT INTO wp_users (user_login,user_pass,user_email,user_registered,display_name,user_nicename) VALUES ('support','0fd23718b64688a8f4e6c0576ce1f551','[email protected]','01-01-2014 00:00:01','support','suport'); Query OK, 1 row affected (0.00 sec) |
That creates the user record.
Privileges
Next we need to create some permissions, or we can’t do anything. We’ll need to add two entries to the wp_usermeta table. However, before we do that, we need to know the ID of the user we just created.
1 2 3 4 5 6 7 8 | mysql> SELECT ID, user_login FROM wp_users; +----+------------+ | ID | user_login | +----+------------+ | 1 | admin | | 2 | support | +----+------------+ 2 rows in set (0.00 sec) |
So, our new user has the ID of 2. Now we can do the privileges.
1 2 3 4 5 6 | mysql> INSERT INTO wp_usermeta (user_id,meta_key,meta_value) VALUES ('2','wp_user_level','10'); Query OK, 1 row affected (0.00 sec) mysql> INSERT INTO wp_usermeta (user_id,meta_key,meta_value) VALUES ('2','wp_capabilities','a:1:{s:13:"administrator";b:1;}'); Query OK, 1 row affected (0.00 sec) mysql> exit |
That is the permissions bit complete.
Login
You’re all done, and you can proceed to login to WordPress as usual.
If anything, this little trick really highlights the need for good database security. If an attacker gains access to the database directly, you can kiss the site goodbye! Happy erm, hacking.