· 6 years ago · Nov 19, 2019, 09:04 PM
1Wordpress REST API. Acknowledge it.
2 +
3Cross-Origin Resourse Sharing
4Versions Vulnerable : <= 5.2.4
5
6November 18, 2019
7
8
9PREFACE:
10--------
11
12Wordpress & third party plugin developers are never far from the front page of an advisory/exploit database. Logically
13this makes sense, as the key developers are vastly outnumbered by the plugin developers. When planning a website, it
14would be a very big mistake to overlook how large of a problem this can be. I can say with some certainty, there are
15always zero day exploits waiting to pop up.
16
17Arguably, some advisories exist because the platforms developers intended it's functionality to work in a 'less secure'
18but more functional way. The problem simply stems from those who use the platform and are otherwise unaware of how
19things are working behind the scenes. This document expands more on that concept as we will specifically discuss
20the recent Cross-Origin Resource Sharing advisory and how it is very similar to a designed characteristic known as
21the WP REST API (wp-json).
22
23
24
25HTTP COMMUNICATION:
26-------------------
27
28On the higher protocol level of HTTP/S, servers and browsers communicate by sending chunks of information known as
29headers. When you are browsing the internet such as downloading and uploading information, your browser is communicating
30with servers on a more primitive but relatively simple level, following the rules set forth in the Hyper-Text Transfer
31Protocol.
32
33Below are two headers; the first originating from a client browser (the request), and the second from the server (response).
34
35// Request
36> Request URL: http://www.kev.is/amazing.login
37> Request Method: POST
38> Status Code: 404
39> Remote Address: [:::1]:80
40
41// Response
42> Access-Control-Allow-Origin: http://localhost:1337
43> Connection: close
44> Content-Type: Application/Json
45> Error-Details: Error querying database
46
47If this is new to you, I would advise looking into these conversations. If you are trying to weed out bugs, or escalate
48privalidge, or move across a computer or network - understanding how to manipulate these messages are a foundation.
49
50The key thing to take away from this is the line that says "Request Method: POST".
51
52HTTP methods are the workers. When you POST information, you are issuing data forward - perhaps in the form of login data.
53When you GET data, you are opening your doors and allowing it in.
54When you PUT data, you are uploading it. There are other methods outside the scope of this (TRACE, OPTIONS, HEAD, etc).
55
56These rules create the foundatation of the web we see today. And as you may have guessed, some of these methods are
57unsafe in some situations. For instance, allowing everyone to use the PUT method on your web server will certainly end
58up in shellcode being uploaded, your server rooted, your information stolen and possibly even ransomware.
59
60
61WORDPRESS WP-JSON REST API
62--------------------------
63
64Wordpress was developed for developers, so it comes as no surprise they have implemented REST API into the framework.
65API - Application Programming Interface, essentially frameworks of developed high level code which can be used in part
66or full to interface with other devices. An example - I downloaded the Python FUSE API as iDevices that are activation
67locked are also sandboxed with additional USB restrictions. Their filesystems can not be mounted in the same way we
68do NTFS, EXTx, FAT, etc. Individuals have created the building blocks necessary in the form of an API package which
69any programmer can then reference and save development time.
70
71REST - Representational State Transfer - Easiest way to explain this, is APIs with endpoints that support HTTP. REST
72makes larger scale, network dependent programs/applications much more practical.
73
74So in saying that, it makes perfect sense that Wordpress would implement this into their system. This however could
75effectively work against someone who was less informed and the severity could range from little to massive.
76
77[PROTOCOL] [HOST/DOMAIN] [REST / ] [INST.DIR] [GROUPS] [ID/ENUM]
78https:// www. example.com /wp-json /wordpress /users /xx
79 /pages /x
80 /posts /x
81 /comments /x
82 /blocks /x
83
84Above indicates a typical wordpress installation outline (this is a simple version). They will vary in that some don't
85use a specific install directory and simply write index.html to their /var/www/public_html. Other important folders
86exist such as the /wp-admin /wp-content /wp-includes folders, and an installation that stands well should have all the
87files and folder permissions set appropriately.
88
89By utilizing the Curl language, HTTP methods can be used to call on the REST API wordpress offers. This is great from
90a developers stance. However someone who has more malicious intent could cause considerable damage if doors were left
91wide open here - especially on top of any other potential advisories that may be about.
92
93Lets take a look at how we can obtain some information here:
94
95> INPUT
96curl --location --request GET "https://www.example.com/wp-json/wordpress/users/1"
97
98> OUTPUT
99{"id":1,"name":"admin","url":"","description":"","link":"https:\/\/example.com\/author\/admin\/","slug":"admin","meta":[],
100"_links":{"self":[{"href":"https:\/\/example.com\/wp-json\/wordpress/users\/1"}],"collection":[{"href":"https:\/\/example.com\
101/wp-json\/wordpress/users"}]}}
102
103The request was sent with the numerical value of 1, which works out to be the first user found within the wp_users table
104within the SQL database. It's a safe bet to say that as requests are made with higher numbers, the users within that websites
105database will then be enumerated (and all their account login information short passwords). To make things better or worse,
106as you will see in the little program I wrote at the bottom of this document, we can program to very quickly enumerate all
107information we retrieve, and even clean it up and sort it.
108
109If I had probed just the /users/ folder, it would have returned every user within.
110You can see I make use of the HTTP GET method in the above example.
111
112Well yes, in some situations, especially ones heavily overlooked, you can POST data to the API - and in doing so you can
113actually create accounts, or edit accounts that currently exist. Some examples of other things that could be accomplished
114include editing posts, downloading only pages that have been updated at least once, if permissions are real bad this could
115lead to an unauthorized file upload conditions which is just a hop away from a rooted server.
116
117On a positive note, by learning how to interact with these APIs, and even learning just a bit of curl and another language
118such as python, or in my case bash scripting, the possibilities are quite endless. If you are by a linux terminal, just
119type in 'curl --help' and acknowledge how many options there are. From a penetration testers standpoint, understanding
120how the foundations work, and utilizing tools (eg. Golismero HTTP/S Stepper, cookie hijacking, directory traversing) are
121absolutely key to making progress.
122
123Below was a program I was writing to go along with this, however I have less time than I originally thought and would like
124to get through Cross-Origin Resource Sharing as well as, should there be time, some information which may be seen as
125beneficial when considering a home network, router, vectors of attack with proof of concept, as well as some tidbits on
126differences between family routers and switches you'd see within larger companies, ISPs, factories, etc.
127
128This program is broken, but with a little thought, you will see where I was headed with it ;)
129
130---- eof
131
132
133
134
135
136
137
138
139
140#!/bin/sh
141# Wordpress /wp-json/ URL Enumerator
142
143# Introduction text. I have plans to expand this with a few positional arguments
144echo "\n\nSimple hard-coded wordpress page enumerator/scraper."
145echo "Written in BASH / Curl"
146echo "USAGE:\t ./wpenum.sh\nWill exit when finished, or abort with CTRL+C\n\n"
147
148# Initialize variables
149i=0 # Counter
150x=0 # Counter
151z=1 # Program Loop
152fpath=pwd # Working Dir
153
154# Bash doesn't have try/catch, so I came up with this on the fly
155# First loop is effectively the program loop - if completed properly, it will exit with status 0
156# in the following nested loop
157while z=1;
158
159 # Increase counter to begin at page 1. Sub var in filename until Curl returns 404 status.
160 i++
161
162 # Send an HTTP GET request to the Wordpress REST API
163 # -I ensures the response will also include HTTP headers used to
164 # determine the status code of the command. Output to pages 1.json-x.json
165 curl -I -O $i".json" --write-out JSON --location \
166 --request GET "https://SOMEWORDPRESSSITE.com/wp-json/wp/v2/pages/"$i
167 echo "Page"$i".json successfully written to " $fpath && x=1
168
169 while x=1;
170 # Sorting the flood of data - primarily HTML so ending lines with >.
171 # Then printing those lines to a new file, x.txt
172 # Also scanning each line for the 404 status, telling us when to break the program
173 # Note, this statement it scanning FOR NOT "404", breaking if the condition is true and looping again.
174 awk -F ">" '{ print \n$i".txt")' $i".json" | if grep -i '!404' then;
175 break;
176 else
177 echo "HTTP Response 404 has been detected, exiting."
178 x=0;
179
180 # Exit with proper exit code
181 exit 0;
182 fi
183 do
184 # CTRL+C if we end up here repeatedly
185do
186exit 1