How I Takeover Wordpress Admin fiiipay.my
- First of all is RECON, so i goto https://fiiipay.my and check what cms they use and i see they are using wordpress .
- Then i check admin page with adding "/wp-admin" after home url
- i got redirected to "/setup-config.php"
4. W00t?,, I click lets go and set new database configuration with remote my sql, https://www.freemysqlhosting.net/
5. After that i got redirect to "/wp-admin/install.php" and i set new user & password wordpress
6. Login to wordpress
After this, i reported this vulnerability to AntiHack,
- Nov 20, 2018 โ Sent Report to AntiHack
- Nov 20, 2018 โ AntiHack change status to New
- Dec 13, 2018 โ AntiHack rewarded me $300 SGD
- Dec 28, 2018 โ Bounty received