48 lines
2.0 KiB
Markdown
48 lines
2.0 KiB
Markdown
# WordPress SMTP Credential Discovery
|
|
|
|
When a site uses WP Mail SMTP (or similar) plugin, credentials are stored in the `wp_options` table as a serialized PHP array under `wp_mail_smtp`.
|
|
|
|
## Query Pattern
|
|
|
|
```sql
|
|
SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp';
|
|
```
|
|
|
|
The value is a PHP serialized array. Extract fields with:
|
|
```bash
|
|
mysql -h 127.0.0.1 -P <PORT> -u <USER> -p'<PASS>' <DB> \
|
|
-e "SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp'" \
|
|
--skip-column-names 2>/dev/null | python3 -c "
|
|
import sys, re
|
|
data = sys.stdin.read()
|
|
# PHP serialized array — extract key fields via regex
|
|
for key in ['mailer', 'host', 'port', 'user', 'pass']:
|
|
match = re.search(r's:4:\"$key\";s:(\d+):\"(.*?)\"', data)
|
|
if match: print(f'{key}: {match.group(2)}')
|
|
"
|
|
```
|
|
|
|
Or parse the PHP serialized format more robustly with Python (the `php-serialize` library, or use the regex approach above for the specific fields needed).
|
|
|
|
## Common Locations
|
|
|
|
| Site | DB Name | Host | Port | User | How to access |
|
|
|---|---|---|---|---|---|
|
|
| Apex Track Experience | `apextrackexperience_1781549652` | c1113726.sgvps.net:2525 | 2525 | `contact@apextrackexperience.com` | MySQL tunnel on Core (`127.0.0.1:33060`) |
|
|
| Any WordPress site on wphost02 | varies | varies | varies | varies | SSH to wphost02, query local MySQL |
|
|
|
|
## MySQL Tunnel Access
|
|
|
|
On Core, the Apex Track Experience database is accessible via SSH tunnel through wphost02:
|
|
```bash
|
|
mysql -h 127.0.0.1 -P 33060 -u <USER> -p'<PASS>' <DB> -e "SELECT 1"
|
|
```
|
|
|
|
The tunnel is maintained by `mysql-tunnel` systemd service (Core → wphost02:3306).
|
|
|
|
## Pitfalls
|
|
|
|
- The `wp_mail_smtp` option stores the password as plaintext (not hashed) in the PHP serialized array
|
|
- The `wp_mail_smtp_initial_version` and `wp_mail_smtp_version` options confirm the plugin version
|
|
- WPForms uses the same WP Mail SMTP plugin for email — form notification emails are sent via these same credentials
|
|
- The MySQL password in the connection string is also in plaintext in systemd unit files — keep unit files `chmod 600` |