Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 26, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 229
Members: 0
Total: 229
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit ver. 2 Goto page Previous  1, 2, 3, 4  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sat Jun 02, 2007 6:15 pm Reply with quote
scoobydoo
Regular user
Regular user
 
Joined: Jun 02, 2007
Posts: 5




Rolling Eyes here is the error message:

Notice: Undefined variable: argc in /home/scoobydoo/public_html/test.php on line 14

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 17

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 25

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 26
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 6:54 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Post the error dude.
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 7:02 pm Reply with quote
scoobydoo
Regular user
Regular user
 
Joined: Jun 02, 2007
Posts: 5




Line 14: if ($argc<3) {

Line 17: Usage: php '.$argv[0].' host path OPTIONS

Line 25: php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80

Line 26: php '.$argv[0].' localhost / -p81
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 7:11 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




My engl. is too bad to explain to you how to run this script.Let wait some of engl. speaking people. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 9:16 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




Seems like you have to run the script directly from the commandline PHP interpreter. So, if you use Linux, go into your shell and execute the script via "php <filename> <parameters>". If you use Windows, run the commandline, go to your bin-directory of PHP and use there the same command. (I hope, there was a bin-directory of PHP under Windows. *g*)

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Wed Jun 20, 2007 8:31 am Reply with quote
scorpion
Regular user
Regular user
 
Joined: Jun 20, 2007
Posts: 10




I'm running this on a 2.1.2 WP blog and it seems as if I get different results every time. Is there any exploit like this one that works on a 2.1.2 WP blog?
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 9:54 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




$testcnt = 300000----> change this to 900000
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 1:14 pm Reply with quote
scorpion
Regular user
Regular user
 
Joined: Jun 20, 2007
Posts: 10




koko wrote:
$testcnt = 300000----> change this to 900000
That did the trick, thanks alot! Smile

It seems that I have some issues with creating the cookies though...

I run a MD5 on the blog adress (http://sub.domain.top) and add this after wordpressuser_ and wordpresspass_.

I also run another MD5 on the result that this script outputs (dbff23c64c0369382f5fd24f69d03695). The result of this is 089ae043c73989ec8f708595ddcb4510, which I enter into the wordpresspass-cookie as the value. Still I just get this message when I surf to: http://sub.domain.top/wp-admin/

Your session has expired.
ERROR: Incorrect password.

What does I make wrong?

EDIT: As I said earlier, this is a WP 2.1.2 blog
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 1:30 pm Reply with quote
blaxenet
Active user
Active user
 
Joined: Jun 20, 2007
Posts: 26




I've gave the 'exploit' a run, but got the following error:

Code:
WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ...


I'm not sure if this is my fault or whether the version of Wordpress isn't correct.

Any idea's?
Thanks Smile
View user's profile Send private message Send e-mail Yahoo Messenger
PostPosted: Wed Jun 20, 2007 4:00 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




blaxenet wrote:
I've gave the 'exploit' a run, but got the following error:

Code:
WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ...


I'm not sure if this is my fault or whether the version of Wordpress isn't correct.

Any idea's?
Thanks Smile


This can mean, that server issues mysql error message. I have seen such problems in some other websites too and this can be related to different sql table structure, maybe because of some modifications in WP installation. So first you must see, what really happens there - try to change this exploit so, that instead of "probe delays test_md5delay(1)" diagnostic message it will print out all data, coming from server. Then, if it's sql error message, then just adjust exploit so that sql clause will be valid to that specific server.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jun 20, 2007 6:33 pm Reply with quote
Stoney
Regular user
Regular user
 
Joined: Jun 20, 2007
Posts: 6




hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 6:44 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Stoney wrote:
hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?


Read this thread http://www.waraxe.us/ftopict-1776-.html
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 7:42 pm Reply with quote
Stoney
Regular user
Regular user
 
Joined: Jun 20, 2007
Posts: 6




koko wrote:
Stoney wrote:
hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?


Read this thread http://www.waraxe.us/ftopict-1776-.html


Embarassed sry ! thx for help
View user's profile Send private message
PostPosted: Sun Jun 24, 2007 12:20 pm Reply with quote
blaxenet
Active user
Active user
 
Joined: Jun 20, 2007
Posts: 26




I've had another go with this script on a completely different domain.
Got this far, but the hash doesn't seem right.

So i've taken a look at the other responses here and changed the $testcnt value from 300000 to 900000 but that made no visible difference apart from the hash changing slightly.

Any idea's :S ?

---------------------------------
$testcnt = 300000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 0000000000000000000000000aa00000

---------------------------------
$testcnt = 900000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 00000000000000d000030a0000000000
View user's profile Send private message Send e-mail Yahoo Messenger
PostPosted: Sun Jun 24, 2007 2:23 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is hard to tell, it all depends. You can sniff traffic between target server and your PC and then look at sniffer log and try to understand, why it is not working as expexted. This can be because server is too slow and unstabe or wp installation is just patched allready.
One thing is sure - sql injection blind fishing methods are not 100% reliable and there are always some non-working targets ...
View user's profile Send private message Send e-mail Visit poster's website
WordPress 2.1.3 sql injection blind fishing exploit ver. 2
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 4  
Goto page Previous  1, 2, 3, 4  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Movie Reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.082 Seconds