How to obtain "wp_rest" nonce for WP Statistics plugin manually?

During my pentest of a client's websites I stumbled upon the WP with vulnerable WP Statistics plugin installed.

To exploit this vulnerability, I should send a JSON-API request to endpoint /json-api/wp-statistics/v2/.... The problem is I must send correct _wpnonce along with my request.

I found a cool explanation here: https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042

They recommend to extract the _wpnonce value from the legitimate URLs from the website page source. But I don't see similar URLs anywhere. My guess is that the plugin installed but not correctly used so it doesn't create these links within the pages.

As I understand, this plugin uses wp_rest action for nonce and it means that the nonce used is global for the whole JSON REST API. Am I correct here? And if yes, how can I obtain this nonce value manually?

Topic plugin-json-api nonce Wordpress statistics

Category Web

1
answered at

As I understand, this plugin uses wp_rest action for nonce and it means that the nonce used is global for the whole JSON REST API. Am I correct here?

Yes, it's not the plugin that needs the nonce, it's WordPress itself, and it needs other things too such as cookies from an active login session, and for it to be from a user with the needed role/capabilities.

And if yes, how can I obtain this nonce value manually?

You can't, WP gives it to you, and the nonces are unique to each person. Generating it locally would require that you have the secret key hashes from the wp-config.php file.

So you can't steal someone elses nonce, you can't generate it locally.

But even if you could, it only helps identify and authenticate that you are a specific user, it won't give you permissions to do things your user can't already do.

If You're Already Logged In

https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

If WP itself is localising the nonce then it's available as:

wpApiSettings.nonce

Note that all the caveats I've mentioned still apply.

Having said that, I don't think you should be asking how to exploit a WP site here. It should be enough to report to the client that they're running vulnerable software.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.