|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit |
|
Posted: Wed Jun 06, 2007 3:21 pm |
|
|
barr0w |
Regular user |
|
|
Joined: May 30, 2007 |
Posts: 13 |
|
|
|
|
|
|
|
Has anyone seen this new advisory that just showed up on milw0rm?
http://www.milw0rm.com/exploits/4039
Unfortunately all of the comments are written in Spanish. It also looks like the exploit is written in C#.
Anyone know what this does, have tried it out yet, or have any comments on it at all?
Edit: Reading up on this I guess you need at leats a subscriber level account for this to work. |
|
|
|
|
Posted: Thu Jun 07, 2007 6:44 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Code: | string login = "alex";
string password = "1234"; |
Most of wordpress registration is closed. |
|
|
|
|
Posted: Sun Jun 10, 2007 3:35 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
have no idea about spanish language,
but i think u need some authorized account to use this exploit, like another type of WP exploitation |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Jun 10, 2007 8:56 am |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
Dumdidum...
Quote: | El error, bastante tonto por cierto, se encuentra en la funci?n wp_suggestCategories, en el archivo xmlrpc.php: |
means:
The error, which is by the way stupid enough, is located in function 'wp_suggestCategories' in file 'xmlrpc.php'.
Quote: | Como se puede observar en la porci?n de c?digo, no se hace una conversi?n a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. |
means:
As you can see in this piece of code, the function does not check or validate the value of $max_results. This makes it possible to inject SQL queries.
Quote: | Para que un atacante logre su objetivo, es necesario que ?ste tenga una cuenta de usuario v?lida (una cuenta de tipo suscriber basta y sobra) en el sitio v?ctima. |
means:
For this you will need an account (subscriber of better) at your victim's page.
Quote: | Prepar? un peque?o exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contrase?as en MD5, adem?s tambi?n incluye las cookies de autenticaci?n para cada usuario. |
means:
I prepared a little exploit (credits to: Alex), which retrieves the user list with each user's MD5 hash and their automatic login cookies.
That were the comments... But do not submit a warranty claim. |
|
|
|
|
|
|
|
|
Posted: Sun Jun 10, 2007 2:57 pm |
|
|
https |
Regular user |
|
|
Joined: Jun 09, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
i try This But Not Work For ME
I have Q Must Edit This Expolit ? (tring targetUrl = "http://localhost/wp)
and Login With Alex and 1234?
Tanks |
|
|
|
|
Posted: Sun Jun 10, 2007 4:40 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
https wrote: | i try This But Not Work For ME
I have Q Must Edit This Expolit ? (tring targetUrl = "http://localhost/wp)
and Login With Alex and 1234?
Tanks |
I think, that you must have valid account for target wordpress-powered website. So first you must register yourself as new member and then change exploit, so that there will be valid username and password for target.
By the way - many real-world wordpress-powered websites are CLOSED for new members registration. So this exploit does not work against many websites |
|
|
|
|
Posted: Sun Jun 10, 2007 7:46 pm |
|
|
https |
Regular user |
|
|
Joined: Jun 09, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
Just work in Closed User register? |
|
|
|
|
Posted: Mon Jun 11, 2007 11:48 am |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
It does not work, if you cannot register. It should work, if you have an subscriber account or better. |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|