Adds http-vuln-cve2017-1001000. Closes #775

2025-12-12 02:39:03 +00:00 · 2017-06-01 19:08:23 +00:00
parent edd0676e4b
commit aedd40ced5
3 changed files with 132 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] New script http-vuln-cve2017-1001000 detects a privilege escalation 
+  vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE2017-1001000) [Vinamra Bhatia]
+
 o [NSE] New script smb-vuln-ms17-010 detects a critical remote code execution 
  vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010).
  The script also reports patched systems. [Paulino Calderon]
--- a/scripts/http-vuln-cve2017-1001000.nse
+++ b/scripts/http-vuln-cve2017-1001000.nse
@@ -0,0 +1,128 @@
+local http = require "http"
+local shortport = require "shortport"
+local string = require "string"
+local stdnse = require "stdnse"
+local url = require "url"
+local vulns = require "vulns"
+local json = require "json"
+
+description = [[ 
+Attempts to detect a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 that 
+allows unauthenticated users to inject content in posts.
+
+The script connects to the Wordpress REST API to obtain the list of published posts and 
+grabs the user id and date from there. Then it attempts to update the date field in the 
+post with the same date information we just obtained. If the request doesn’t return an 
+error, we mark the server as vulnerable.
+
+References:
+https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html 
+ 
+  ]]
+
+---
+-- @usage
+-- nmap --script http-vuln-cve2017-1001000 --script-args http-vuln-cve2017-1001000="uri" <target>
+-- nmap --script http-vuln-cve2017-1001000 <target>
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-vuln-cve2017-1001000:
+-- |   VULNERABLE:
+-- |   Content Injection in Wordpress REST API
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2017-1001000
+-- |     Risk factor: Medium  CVSSv2: 5.0 (MEDIUM) 
+-- |       The privilege escalation vulnerability in WordPress REST API allows
+-- |       the visitors to edit any post on the site 
+-- |       Versions 4.7.0 and 4.7.1 are known to be affected
+-- |    
+-- |     References:
+-- |_      https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html 
+--
+-- @xmloutput
+-- <table key="CVE-2017-1001000">
+-- <elem key="title">Content Injection in Wordpress REST API</elem>
+-- <elem key="state">VULNERABLE (Exploitable)</elem>
+-- <table key="ids">
+-- <elem>CVE:CVE-2017-1001000</elem>
+-- </table>
+-- <table key="scores">
+-- <elem key="CVSSv2">5.0 (MEDIUM)</elem>
+-- </table>
+-- <table key="description">
+-- <elem>The privilege escalation vulnerability in WordPress REST API allows&#xa; the visitors to edit
+-- any post on the site.&#xa; Versions 4.7.0 and 4.7.1 are known to be affected&#xa;
+-- </elem>
+-- </table>
+-- <table key="refs">
+-- <elem>https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html</elem>
+-- </table>
+-- </table>
+--
+-- @args http-vuln-cve2017-1001000.uri Wordpress root directory on the website. Default: /
+---
+
+author = "Vinamra Bhatia"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = shortport.http
+
+action = function(host, port)
+  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
+  uri = uri .. 'index.php/wp-json/wp/v2/posts/' --Uri is appended to get the JSON data
+
+  local response = http.get(host, port, uri, nil)
+
+  if response.status and  response.status == 200 then
+    local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
+    local vuln_table = {
+      title = 'Content Injection Vulnerability in Wordpress REST API',
+      state = vulns.STATE.NOT_VULN, --default Non Vulnerable State
+      IDS = {CVE = 'CVE-2017-1001000'},
+      risk_factor = "Medium",
+      scores = {
+        CVSSv2 = "5.0 (MEDIUM)",
+      },
+      description = [[
+The privilege escalation vulnerability in WordPress REST API allows
+the visitors to edit any post on the site .
+Versions 4.7.0 and 4.7.1 are known to be affected.
+      ]],
+      references = {
+          'https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html'
+      },
+    }
+
+    local status, json_data = json.parse(response.body)
+
+    --Parsing the json_data to get the ID of the first post and the date.
+    local id=json_data[1].id
+    local content=json_data[1].date
+
+    if(id==nil or content==nil) then
+      return vulnReport:make_output(vuln_table)
+    end
+
+    --Modifying the uri and checking for response. 
+    --Date modification request is being sent.
+    uri = uri ..id..'/'..'?id=' .. id ..'abc'..'&date='..content
+
+    local request_opts = {
+    header = {
+      },
+    }
+
+    request_opts["header"]["Content-type"] = 'application/json'
+    local response1 = http.post(host, port, uri, request_opts)
+
+    --If response is correct, means the site allowed the modification
+    --of the post and it is vulnerable.
+    if(response1.status and response1.status==200) then
+      vuln_table.state = vulns.STATE.VULN
+    end
+    return vulnReport:make_output(vuln_table)
+  end
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -262,6 +262,7 @@ Entry { filename = "http-vuln-cve2014-3704.nse", categories = { "exploit", "intr
 Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2017-1001000.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } }
 Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } }
 Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } }