Apologies for not posting anything on my blog for so long. I saw this wordpress exploit yesterday and its just awesome work by waraxe. Unlike my xmlrpc.php exploit this doesnot even need any privilidges and the exploit works fine. To me, it is yet another example of why magic_quote setting of php is not sufficient protection against SQL injections. Although, i have explained the wordpress cookie earlier as well, i am doing it once again.
If you dont wanna spend time cracking the md5, then this is what you need to do once you get the md5 hash of the admin password.
add the following 2 cookies in your browser before you visit the admin section of the website. I recommend using this firefox plugin
the name of the cookie if specific to the website and it has this pattern
where (unique suffix) is md5 of the base url
Thus as pointed by waraxe for wordpress hosted at http://localhost/wordpress-2.1.3 the suffix become md5(‘http://localhost/wordpress.2.1.3′) =5a136e6377f39b00c76957953df945db
and thus the cookie will be wordpressuser_5a136e6377f39b00c76957953df945db
now add the value of this cookie which is the username for which you have obtained the hash.
add another cookie with the name wordpresspass_[same suffix as above] and the value as the md5 of the hash you obtained by the exploit and then u can login as that user.
if hash obtained is 21232f297a57a5a743894a0e4a801fc3 (md5(‘admin’))
then the value will be c3284d0f94606de1fd2af172aba15bf3 (md5(’21232f297a57a5a743894a0e4a801fc3′))
the two cookies will look like this then:
Now enjoy the admin privilidges.