|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 56
Members: 0
Total: 56
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Sat Jun 02, 2007 6:15 pm |
|
|
scoobydoo |
Regular user |
|
|
Joined: Jun 02, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
here is the error message:
Notice: Undefined variable: argc in /home/scoobydoo/public_html/test.php on line 14
Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 17
Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 25
Notice: Undefined variable: argv in /home/scoobydoo/public_html/test.php on line 26 |
|
|
|
|
Posted: Sat Jun 02, 2007 6:54 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jun 02, 2007 7:02 pm |
|
|
scoobydoo |
Regular user |
|
|
Joined: Jun 02, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
Line 14: if ($argc<3) {
Line 17: Usage: php '.$argv[0].' host path OPTIONS
Line 25: php '.$argv[0].' localhost /wordpress/ -P1.1.1.1:80
Line 26: php '.$argv[0].' localhost / -p81 |
|
|
|
|
Posted: Sat Jun 02, 2007 7:11 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
My engl. is too bad to explain to you how to run this script.Let wait some of engl. speaking people. |
|
|
|
|
Posted: Sat Jun 02, 2007 9:16 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
Seems like you have to run the script directly from the commandline PHP interpreter. So, if you use Linux, go into your shell and execute the script via "php <filename> <parameters>". If you use Windows, run the commandline, go to your bin-directory of PHP and use there the same command. (I hope, there was a bin-directory of PHP under Windows. *g*) |
|
|
|
|
Posted: Wed Jun 20, 2007 8:31 am |
|
|
scorpion |
Regular user |
|
|
Joined: Jun 20, 2007 |
Posts: 10 |
|
|
|
|
|
|
|
I'm running this on a 2.1.2 WP blog and it seems as if I get different results every time. Is there any exploit like this one that works on a 2.1.2 WP blog? |
|
|
|
|
Posted: Wed Jun 20, 2007 9:54 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
$testcnt = 300000----> change this to 900000 |
|
|
|
|
Posted: Wed Jun 20, 2007 1:14 pm |
|
|
scorpion |
Regular user |
|
|
Joined: Jun 20, 2007 |
Posts: 10 |
|
|
|
|
|
|
|
koko wrote: | $testcnt = 300000----> change this to 900000 | That did the trick, thanks alot!
It seems that I have some issues with creating the cookies though...
I run a MD5 on the blog adress (http://sub.domain.top) and add this after wordpressuser_ and wordpresspass_.
I also run another MD5 on the result that this script outputs (dbff23c64c0369382f5fd24f69d03695). The result of this is 089ae043c73989ec8f708595ddcb4510, which I enter into the wordpresspass-cookie as the value. Still I just get this message when I surf to: http://sub.domain.top/wp-admin/
Your session has expired.
ERROR: Incorrect password.
What does I make wrong?
EDIT: As I said earlier, this is a WP 2.1.2 blog |
|
|
|
|
|
|
|
|
Posted: Wed Jun 20, 2007 1:30 pm |
|
|
blaxenet |
Active user |
|
|
Joined: Jun 20, 2007 |
Posts: 26 |
|
|
|
|
|
|
|
I've gave the 'exploit' a run, but got the following error:
Code: | WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ... |
I'm not sure if this is my fault or whether the version of Wordpress isn't correct.
Any idea's?
Thanks |
|
|
|
|
|
|
|
|
Posted: Wed Jun 20, 2007 4:00 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
blaxenet wrote: | I've gave the 'exploit' a run, but got the following error:
Code: | WordPress 2.1.3 blind sql injection exploit by waraxe Target: http://www.site.com/wordpress/wp-admin/admin-ajax.php sql table prefix: wp_ cookie suffix: 2554b2e3cc6c5f2f5bf434c94ad7987c testing probe delays test_md5delay(1) - invalid return value, exiting ... |
I'm not sure if this is my fault or whether the version of Wordpress isn't correct.
Any idea's?
Thanks |
This can mean, that server issues mysql error message. I have seen such problems in some other websites too and this can be related to different sql table structure, maybe because of some modifications in WP installation. So first you must see, what really happens there - try to change this exploit so, that instead of "probe delays test_md5delay(1)" diagnostic message it will print out all data, coming from server. Then, if it's sql error message, then just adjust exploit so that sql clause will be valid to that specific server. |
|
|
|
|
|
|
|
|
Posted: Wed Jun 20, 2007 6:33 pm |
|
|
Stoney |
Regular user |
|
|
Joined: Jun 20, 2007 |
Posts: 6 |
|
|
|
|
|
|
|
hi ! i got a error from the exploit !
Code: |
Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays
Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399
|
can anyone help me by the error? |
|
|
|
|
Posted: Wed Jun 20, 2007 6:44 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Stoney wrote: | hi ! i got a error from the exploit !
Code: |
Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays
Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399
|
can anyone help me by the error? |
Read this thread http://www.waraxe.us/ftopict-1776-.html |
|
|
|
|
Posted: Wed Jun 20, 2007 7:42 pm |
|
|
Stoney |
Regular user |
|
|
Joined: Jun 20, 2007 |
Posts: 6 |
|
|
|
|
|
|
|
koko wrote: | Stoney wrote: | hi ! i got a error from the exploit !
Code: |
Target: http://www.xxxxx.com/wp-admin/admin-ajax.php
sql table prefix: wp_
cookie suffix: a1f44f7e99efa5715d7b87e763a96457
testing probe delays
Fatal error: Call to undefined function curl_init() in C:\inetpub\wwwroot\exploit1.php on line 399
|
can anyone help me by the error? |
Read this thread http://www.waraxe.us/ftopict-1776-.html |
sry ! thx for help |
|
|
|
|
|
|
|
|
Posted: Sun Jun 24, 2007 12:20 pm |
|
|
blaxenet |
Active user |
|
|
Joined: Jun 20, 2007 |
Posts: 26 |
|
|
|
|
|
|
|
I've had another go with this script on a completely different domain.
Got this far, but the hash doesn't seem right.
So i've taken a look at the other responses here and changed the $testcnt value from 300000 to 900000 but that made no visible difference apart from the hash changing slightly.
Any idea's :S ?
---------------------------------
$testcnt = 300000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 0000000000000000000000000aa00000
---------------------------------
$testcnt = 900000;
---------------------------------
Target: http://removed.com/blog/wp-admin/admin-ajax.php
User ID: 1
Login:
Hash: 00000000000000d000030a0000000000 |
|
|
|
|
|
|
|
|
Posted: Sun Jun 24, 2007 2:23 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This is hard to tell, it all depends. You can sniff traffic between target server and your PC and then look at sniffer log and try to understand, why it is not working as expexted. This can be because server is too slow and unstabe or wp installation is just patched allready.
One thing is sure - sql injection blind fishing methods are not 100% reliable and there are always some non-working targets ... |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 4
Goto page Previous1, 2, 3, 4Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|