关联漏洞
标题:Drupal和Drupal Secure Password Hashes模块输入验证错误漏洞 (CVE-2014-9016)Description:Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。password hashing API是其中的一个用于创建和校验哈希密码的API。Secure Password Hashes(又名phpass)是其中的一个用于存储密码哈希值的模块。 Drupal 7.33及之前版本和Drupal Secure Password Hashes模块6.x-2.0及之前版本的password hashing API中存在安全漏洞。远程攻击者可通过发送特制请求利用该漏洞造成拒绝服务(CPU
Description
Exhaust WordPress <V5.0.1 resources using long passwords (CVE-2014-9016)
介绍
# WordPress Denial of Service (CVE-2014-9016)
## Disclaimer
The contents of this script are intended to only be used only in an ethical manner.
Do not use this script if you do not have written permission from the owner of
the equipment. If you perform illegal actions, you are likely to be arrested
and prosecuted to the full extent of the law. Primus27 does not take any
responsibility if you misuse any of the scripts - they are for proof of concept only.
The application herein must only be used while testing environments with proper
written authorizations from appropriate persons responsible.
## Exploit
- Take WordPress services offline through automating a long password attack
- This script attacks WordPress at the application layer by exploiting:
- The lack of max password enforcements
- The lack of additional security measures such as CAPTCHAs
## Solution
- Update WordPress to >5.0.1
## Features
- Automate the takedown of a WordPress site
- Can run in headless or verbose mode
- Optimised significantly from version 1 (not available on GitHub)
## Screenshots
> Application demo (Script start)
> Application demo (Script end)
## Requirements and Installation
- Requires the WordPress version to be <5.0.1
- [Python 3.6+](https://www.python.org/)
- Linux (tested)
- Install all dependencies from the requirements.txt file. `pip3 install -r requirements.txt`
## Arguments
#### Required arguments:
- `T` || `--target`
- Specify IP address or URL of the WordPress machine.
- If an IP address is specified, the script constructs a URL (http://{IP_Address}/wp-admin)
- If a URL is specified, the script does not construct a URL.
#### Optional arguments:
- `--attempts`
- Specify the number of attempts before the script ends.
- Default: 500
- **NOTE:** Script automatically ends after 5 failed attempts.
- `--attempts`
- Specify the number of attempts before the script ends.
- Default: 500
- **NOTE:** Script automatically ends after 5 failed attempts.
- `--length`
- Specify the base length of the password entry.
- Default: 1000000
- `-nF` || `--noFeedback`
- This disables the output of the username & password entries instead, just showing whether the attempt completed / failed.
- Default: Disabled
- `-V` || `--verbose`
- Flag for the program not to run in headless mode. This launches a browser and shows every action.
- Default: Disabled
- `--version`
- Display program version
## Usage
- Run 'wp_kill.py' in terminal with arguments (see above)
### Starter command(s)
- Typical attack
- `python3 wp_kill.py -T TARGET_IP`
## Changelog
#### Version 1.0 - Initial release
- WordPress target is taken offline
- CLI menu parameters
#### Version 2.0 - Performance and feature improvements
- Added custom 'attempts' option
- Added custom 'length' option
- Added 'no feedback' option
- Added 'verbose' option
- Significantly improved speed at which passwords are generated using a seed
- Significantly improved performance by using the same FireFox session
#### Version 2.1 - Custom Username & Address
- Added custom username argument (see username argument)
- Added custom address (see target argument)
## Features in development
- Multiprocessing support
文件快照
[4.0K] /data/pocs/401c20d495b292f8b97adb3556735e115dc2f95b
├── [ 34K] LICENSE
├── [4.0K] readme_files
│ ├── [ 77K] banner.png
│ ├── [ 61K] demo_end.png
│ └── [ 46K] demo_start.png
├── [3.4K] README.md
├── [ 27] requirements.txt
├── [2.7K] title_generator.py
└── [7.2K] wp_kill.py
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →