WordPress i1.wp.com Functionality Abuse

2015-11-13T00:00:00
ID PACKETSTORM:134325
Type packetstorm
Reporter Andrea Menin
Modified 2015-11-13T00:00:00

Description

                                        
                                            `Exploit Title: Wordpress (i1.wp.com) Abuse of Functionality  
Date: Nov 12th 2015  
WASC: WASC-42  
Exploit Author: Andrea Menin (github.com/theMiddleBlue/)  
Video: https://www.youtube.com/watch?v=6g2khjbflmA  
  
  
Description:  
------------  
Abuse of Functionality is an attack technique that uses  
a web site's own features and functionality to attack  
itself or others. Abuse of Functionality can be described  
as the abuse of an application's intended functionality  
to perform an undesirable outcome.  
  
An attacker could use Wordpress website to execute  
any kind of http request to third website.  
In this video i show you how to execute a SQL Injection  
from i1.wp.com to my website.  
  
i1.wp.com is used to show images inside user's blog  
For example, here you can find a pic of my friend Carlton:  
https://i1.wp.com/d236bkdxj385sg.cloudfront.net/wp-content/uploads/2015/04/Thug-Life-500x450.jpg  
  
the problem is that wp.com make an http request for all  
url specified, not only for images. So you can use wp  
ip address for make requests or execute attacks.  
  
  
Exploit:  
--------  
Just visit https://i1.wp.com. You will always get the error:  
"We cannot complete this request, remote data was invalid"  
but wordpress make the http requesy anyway...  
  
curl "https://i1.wp.com/<destination-website>"  
  
for example:  
curl "https://i1.wp.com/www.example.com/index.php%3Fid=123+AND+1=1+UNION+SELECT+..."  
  
  
Video:  
------  
https://www.youtube.com/watch?v=SgFHt37p_Lw  
  
  
--  
Andrea (aka theMiddle) Menin  
menin.andrea [at] gmail.com  
github.com/theMiddleBlue/  
`