1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Found A WP Plugin Exploit :S

Discussion in 'BlackHat Lounge' started by gimme4free, Jul 1, 2009.

  1. gimme4free

    gimme4free Executive VIP Jr. VIP Premium Member

    Joined:
    Oct 22, 2008
    Messages:
    1,880
    Likes Received:
    1,932
    I have been setting up a blog as a WH site tonight, just been messing about with one of the plugins and have ended up finding roughly 5000 sites where I can download their wp-config.php file fully, with DB login details etc. I will be reporting this but out of curiosity, with someones DB login details can they actually login to a database?

    My site was hacked a lil while back and they probably got ahold of my config files, is it actually possible to connect to a database from another server if the dbserver is the localhost?
     
  2. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    If you're mysql daemon is set to listen on your public ip they could, but by default, mysql listens to localhost only.

    Still a huge security hole though!
     
    • Thanks Thanks x 1
  3. gimme4free

    gimme4free Executive VIP Jr. VIP Premium Member

    Joined:
    Oct 22, 2008
    Messages:
    1,880
    Likes Received:
    1,932
    That's good to hear. Would the auth, logged in key etc be of much use to someone or is that also like MD5 near impossible to crack etc?
     
  4. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    No, 95% of the time MySQL will not accept remote connections, either because its configured not to or the port is blocked by a firewall. However, the DB password may be the admin's same password for FTP, SSH, or wordpress itself, which could turn very dangerous. You could also use that bug to pull system files and other configuration files and get further into the system.

    Mind posting what plugin you found this remote file disclosure in?

    Also, MD5 is not nearly impossible to crack as you said, its actually one of the easiest algos to crack through dictionary attacks, brute force, or rainbow tables. Most MD5 passwords can be cracked nowadays.
     
  5. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    Thats blind sql injection, not remote file disclosure...
     
  6. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Oh yeah, good point stealth, your db user/pass, it is often the same as ftp, ssh.

    I wouldn't worry to much about the auth key being cracked, however, I would change your sql user / pass, (just for peace of mind really) :).

    What I would be worried about is the other information in wp-config, like table prefix, that could be used in sql injection attacks (although most sites don't change their table prefix anyways).

    Two really good and simple steps to take to secure wp is to change your table prefix and change your wp "admin" to something else. I find that many compromised blogs haven't done this.
     
  7. bigmoneyX

    bigmoneyX Registered Member

    Joined:
    Feb 20, 2008
    Messages:
    99
    Likes Received:
    26
    maybe you could login if phpmyadmin is installed on the server ?
     
  8. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    Yes, that would definitely work.
     
  9. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Yea phpmyadmin can be nasty, but hopefully your hosting company has taken steps to limit its vulnerabilities. For example, I can only login to phpmyadmin through my webhosts cpanel.
     
  10. Jcsarokin

    Jcsarokin Power Member

    Joined:
    Mar 2, 2009
    Messages:
    718
    Likes Received:
    1,015
    Location:
    Los Angeles / Beverly Hills
    LOL dont report it, put together an ebook and sell it for 75$ ;)
     
  11. gimme4free

    gimme4free Executive VIP Jr. VIP Premium Member

    Joined:
    Oct 22, 2008
    Messages:
    1,880
    Likes Received:
    1,932
    Haven't quiet got around to clicking the send button yet lol, it's not that exploit. Even if you get to the database the passwords are encoded anyway ;)
     
  12. cchance

    cchance Junior Member

    Joined:
    Apr 11, 2007
    Messages:
    149
    Likes Received:
    25
    dagh this is blackhatworld just post what it is lol
     
  13. g3ksan

    g3ksan Newbie

    Joined:
    Jun 17, 2009
    Messages:
    21
    Likes Received:
    3
    Occupation:
    IT Support Specialist
    Location:
    Daytona Beach, Fl
    Home Page:
    This has been around forever, I've raped mediawiki installs, wp, phpbb, all sorts of easily installed php apps. All I can say is google is your friend in this case ;)
     
  14. shadowpwner

    shadowpwner Regular Member

    Joined:
    Apr 19, 2009
    Messages:
    300
    Likes Received:
    73
    I think he's talking about an exploit. However, I highly doubt the same exploit would work for phpbb, wp, etc UNLESS they haven't updated their installation.
     
  15. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    Hes just a script kiddy, using google to turn up vulnerable websites and running prepackaged exploits on them. Nothing to brag about.