Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 51
Members: 0
Total: 51
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit ver. 2 Goto page Previous1, 2, 3, 4Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Sat Jun 02, 2007 6:15 pm Reply with quote
scoobydoo
Regular user
Regular user
Joined: Jun 02, 2007
Posts: 5




Rolling Eyes here is the error message:

Notice: Undefined variable: argc in /home/scoobydoo/public_html/test.php on line 14

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 17

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 25

Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 26
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 6:54 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Post the error dude.
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 7:02 pm Reply with quote
scoobydoo
Regular user
Regular user
Joined: Jun 02, 2007
Posts: 5




Line 14: if ($argc<3) {

Line 17: Usage: php '.$argv[0].' host path OPTIONS

Line 25: php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80

Line 26: php '.$argv[0].' localhost / -p81
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 7:11 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




My engl. is too bad to explain to you how to run this script.Let wait some of engl. speaking people. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 9:16 pm Reply with quote
Chb
Valuable expert
Valuable expert
Joined: Jul 23, 2005
Posts: 206
Location: Germany




Seems like you have to run the script directly from the commandline PHP interpreter. So, if you use Linux, go into your shell and execute the script via "php <filename> <parameters>". If you use Windows, run the commandline, go to your bin-directory of PHP and use there the same command. (I hope, there was a bin-directory of PHP under Windows. *g*)

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Wed Jun 20, 2007 8:31 am Reply with quote
scorpion
Regular user
Regular user
Joined: Jun 20, 2007
Posts: 10




I'm running this on a 2.1.2 WP blog and it seems as if I get different results every time. Is there any exploit like this one that works on a 2.1.2 WP blog?
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 9:54 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




$testcnt = 300000----> change this to 900000
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 1:14 pm Reply with quote
scorpion
Regular user
Regular user
Joined: Jun 20, 2007
Posts: 10




koko wrote:
$testcnt = 300000----> change this to 900000
That did the trick, thanks alot! Smile

It seems that I have some issues with creating the cookies though...

I run a MD5 on the blog adress (http://sub.domain.top) and add this after wordpressuser_ and wordpresspass_.

I also run another MD5 on the result that this script outputs (dbff23c64c0369382f5fd24f69d03695). The result of this is 089ae043c73989ec8f708595ddcb4510, which I enter into the wordpresspass-cookie as the value. Still I just get this message when I surf to: http://sub.domain.top/wp-admin/

Your session has expired.
ERROR: Incorrect password.

What does I make wrong?

EDIT: As I said earlier, this is a WP 2.1.2 blog
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 1:30 pm Reply with quote
blaxenet
Active user
Active user
Joined: Jun 20, 2007
Posts: 26




I've gave the 'exploit' a run, but got the following error:

Code:
WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ...


I'm not sure if this is my fault or whether the version of Wordpress isn't correct.

Any idea's?
Thanks Smile
View user's profile Send private message Send e-mail Yahoo Messenger
PostPosted: Wed Jun 20, 2007 4:00 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




blaxenet wrote:
I've gave the 'exploit' a run, but got the following error:

Code:
WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ...


I'm not sure if this is my fault or whether the version of Wordpress isn't correct.

Any idea's?
Thanks Smile


This can mean, that server issues mysql error message. I have seen such problems in some other websites too and this can be related to different sql table structure, maybe because of some modifications in WP installation. So first you must see, what really happens there - try to change this exploit so, that instead of "probe delays test_md5delay(1)" diagnostic message it will print out all data, coming from server. Then, if it's sql error message, then just adjust exploit so that sql clause will be valid to that specific server.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jun 20, 2007 6:33 pm Reply with quote
Stoney
Regular user
Regular user
Joined: Jun 20, 2007
Posts: 6




hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 6:44 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Stoney wrote:
hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?


Read this thread http://www.waraxe.us/ftopict-1776-.html
View user's profile Send private message
PostPosted: Wed Jun 20, 2007 7:42 pm Reply with quote
Stoney
Regular user
Regular user
Joined: Jun 20, 2007
Posts: 6




koko wrote:
Stoney wrote:
hi ! i got a error from the exploit !

Code:

Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays

Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399


can anyone help me by the error?


Read this thread http://www.waraxe.us/ftopict-1776-.html


Embarassed sry ! thx for help
View user's profile Send private message
PostPosted: Sun Jun 24, 2007 12:20 pm Reply with quote
blaxenet
Active user
Active user
Joined: Jun 20, 2007
Posts: 26




I've had another go with this script on a completely different domain.
Got this far, but the hash doesn't seem right.

So i've taken a look at the other responses here and changed the $testcnt value from 300000 to 900000 but that made no visible difference apart from the hash changing slightly.

Any idea's :S ?

---------------------------------
$testcnt = 300000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 0000000000000000000000000aa00000

---------------------------------
$testcnt = 900000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 00000000000000d000030a0000000000
View user's profile Send private message Send e-mail Yahoo Messenger
PostPosted: Sun Jun 24, 2007 2:23 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is hard to tell, it all depends. You can sniff traffic between target server and your PC and then look at sniffer log and try to understand, why it is not working as expexted. This can be because server is too slow and unstabe or wp installation is just patched allready.
One thing is sure - sql injection blind fishing methods are not 100% reliable and there are always some non-working targets ...
View user's profile Send private message Send e-mail Visit poster's website
WordPress 2.1.3 sql injection blind fishing exploit ver. 2
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 4
Goto page Previous1, 2, 3, 4Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds