Waraxe IT Security Portal

scorpion · Regular user

Okay, I have attacked a WP 2.1.3 installation with this script and I got dbff23c64c0369382f5fd24f69d03695 as the user_pass and admin as the user. I have gotten help with cracking this to: c71c34

Still, if I try to log in to that blog with username admin and pass c71c34 I just get a message that the login is incorrect. Why?

bittertruth · Regular user

I first used this following exploit

dnc · Regular user

For all of those having trouble
For windows:
Install WAMP www.wampserver.com/en/
run
left click on the tray icon. select "PHP settings" then select "PHP extensions" find "php_curl" in the list, and select it. Close all menus. Once again click on the wamp tray icon (looks like a spedometer). This time select "Config Files" then select "php.ini" it will come up in notepad or something. pres ctr+f type: "max" (no quotes). Press enter 2 times. change max_execution_time to 999. Save the file. once again select the tray icon and select "restart all services" Make sure you have the exploit saved as something.php in your wamp/www/ folder. open firefox. type localhost/something.php

oh and to find vulnerable site type:"is powered by WordPress 2.1.3" in google.

waraxe · Site admin

Important notice - this exploit script is meant to be run as CLI!!!
Running it through apache is wrong. It is written for PHP Command Line Interface!

dnc · Regular user

Apparently it works. I dont read instructions... Razz

But whatever.

pexli · Valuable expert

Some other exploit for wordpress 2.1.3.Tested.Working very fine.

bittertruth · Regular user

Koko, i'm not so much used to in Perl, can you suggest me some working php exploits. or any workarounds to find if the remote site is protected or not.. rather than trying to execute exploits on and on, and finding them later not work.. is it the only method to find out that site is protected/patched? .. or is there any way to find before hand in a sense, before executing exploits.

waraxe, are we not supposed to run it as dnc suggested?? or should we upload it to remote ftp and run the script that way? i'm getting so much confused and reading notes off google, they are so overwhelming..

pexli · Valuable expert

Download and install ActivePerl if you don't have.Go to Tools>>Folder Options>>File Types and find PL extension change him to use Perl command line interpreter.Save exploit to your PC.Open cmd folder and type full path to exploit. C:\scripts\blabla.pl vistim.com/wordpress/ wp_ and just press Enter.Working site i give you in PM to practis.

For php i use xampp.Go to folder where is php.Right click on folder php and use this http://rapidshare.com/files/43009181/cmd_folder.reg.html (Merge on your system).Then you push right click on mouse you see "Open DOS here" push and cmd is open.Type php.exe C:\scripts\wordpress2.1.3.php and Enter.

bittertruth · Regular user

koko,
i've web developer server suite v 0.999(beta) installed. It's just like WAMP or XAMP but much more added addons and easy to configure files through it. I'm a web designer,not a web developer but for script testing purpose i use web developer suite.

You gave me reference to OPEN to DOS reg hack. Which i normally do myself after fresh install of XP or other Windows .
(Sorry, i'm not trying perl for the time being)

One thing is eating me, is it not the same thing running the php script from DOS mode(like you described) or from browsers "http://localhost/... "

and thanks for your pm, koko.

besides, in the php script below, as you(koko) wrote somewhere, it's for old version of wordpress. will it work for wordpress 1.5? I'm confirming wordpress 1.5 because on the sites source i found something like <meta name="generator" content="WordPress 1.5" /> though version was hidden in front page of the site. i think the script is Wordpress 1.5. if i'm not wrong.

pexli · Valuable expert

Easy way to check version of wordpress victim.com/wp-rss.php and look source code of the page.

I think this exploit not work on wordpress 1.5.Check this for 1.5 version
http://milw0rm.com/search.php

bittertruth · Regular user

koko, thanks

i found it as 1.5 ,

i found some exploits for wordpress v1.5.1...(but not exactly for 1.5..am still searching for it) and so,. and hopefully executed. but returns some error again.

I tried these two exploits, and i followed the exact steps as you shown to run .pl perl files and it worked.
http://milw0rm.com/exploits/1033
http://milw0rm.com/exploits/1059

The errors i get in Command line is something like this :
1.
C:\www\perl\bin>perl C:\myadmin.pl -h http://www.somedomain.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WordPress 1.5.1.1 exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---[x] STEP 1 - TRY GET ADMIN INFO
ERROR : Forum not vulnerable or bad prefix.

2.
C:\www\perl\bin>perl C:\attack.pl http://www.somedomain.com/ 1

====================================
= Exploit for WordPress <= 1.5.1.1 =
= by Alberto Trivero =
====================================

[+] Connected to: http://www.somedomain.com/
[-] Unable to retrieve username
[-] Unable to retrieve hash of password

buyviagra · Beginner

Speller · Beginner

to koko.
Если можно я на русском! Wink

Запустил я твой експлоит и появилось сразу же 2 вопроса:
1. Что мне делать с этим хэшом дальше? Как ево вернуть в нормальный вид?
2. Почему при разной задержке разные хэши?

$testcnt = 10000:
User ID: 1
Hash: 20000200000002000000000000000000

$testcnt = 25000:
User ID: 1
Hash: 000ab000000000a00000001202300003

Тоесть он разный и чем больше задержка тем сложнее он стает Confused

waraxe · Site admin

BludD · Beginner

hi. i already got past retrieving the hash and the login name. the thing is that i don't have an idea where to go next. by the way, i already sent you a message with some more details. i hope you can help me with it. thanks!