Join us on Slack!
One mans freedom fighter, another's terrorist.
Monday, March 25, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 119
Guests Online: 116
Members Online: 3

Registered Members: 111852
Newest Member: elfimido
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

What keeps a Wordpress protected page from being brute forced

shiroslullaby
Member



Posts: 11
Location:
Joined: 25.01.15
Rank:
Hacker Level 2
Posted on 12-02-15 05:57
So I was looking at a friends wordpress site and noticed you can password protect a page.
If you do this, when you view it, you get a page that accepts a password without a username and seems to not limit your tries.

I set up my own site and enabled a password for a page.
https://shiroslullaby.wordpress.com/passwordprotected/

it seems to use wp-login.php?action=postpass
and
post_password="password"&Submit=Submit

When you put in the right password you view the content but wrong password seems to do a POST/redirect/GET to the original page?

I tried using the URL bar to enter my variables and got a page not found message.
Did I type something wrong or is there something Im not seeing that prevents you from doing it this way and what would prevent someone from brute-forcing this?

Im not sure what you could use in the way of checking referrer, cookies etc to prevent someone from hammering at this until they got the right pass.
Hoping someone knows or is bored and wants to take a look at it.
Also if anyone knows a tool to check out thats good but I'd like to understand exactly how this is implemented becuase I feel like Im missing something.

EDIT
It seems like Wordpress servers are running nginx so Im going to do some reading on that. (I have basic understanding but never actually implemented before)
I would be interested to see differences between using the wordpress site and if somone installed on their own poorly configured server.
Also you can download the worpress kit and look at the php files so Ill do that although my php progamming skills are pretty basic.


I'm not insane
No, my life's a gameshow
I shot for the stars and missed
So now I aim low

Edited by shiroslullaby on 12-02-15 19:41