漏洞平台

POC详情： 1e2b6ca0bf7f46fa9324f0d9eb44eeee089589a8

来源

https://github.com/WellingtonEspindula/SSI-CVE-2022-21661

关联漏洞

标题： WordPress plugin SQL注入漏洞 (CVE-2022-21661)
描述：WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin 存在SQL注入漏洞，该漏洞源于WP_查询中的不正确清理。攻击者可利用该漏洞执行SQL注入攻击。

描述

Study and exploit the vulnerability CVE-2022-21661 that allows SQL Injections through plugins POST requests to WordPress versions below 5.8.3.

介绍

# SSI-CVE-2022-21661

Information System's Security 2nd Assignment

Study and exploit the vulnerability CVE-2022-21661 that allows SQL Injections through plugins POST requests to WordPress versions below 5.8.3.

## Configuring the environment

To start and configure the environment, you should just run:

```bash
docker-compose run --rm wordpress-cli
```

### Requirements

- Docker
- Docker-Compose
- Python 3.9+
- Argparser
- Hashcat

## Running some examples

In example.md file, you can follow a little tutorial with some examples to get started with the exploit of this vulnerability.

## The exploit itself

First of all, ensure the file we're going to execute has execution permission.
So run the following command.

```bash
chmod +x exploit.py
```

Then, to run the exploit, you should run the following command replacing the \<payload\> with:

1. Dump database name.
2. Dump users table.

```bash
./exploit.py http://127.0.0.1:8000/wp-admin/admin-ajax.php [payload] [-l LIMIT_USER] [-o output]
```

## Going further

For going a little bit further, We prepared a script that runs our exploit and uses the data from the user's table, and, then, tries to recover the original passwords forcing a dictionary attack through hashcat.

For this attack, we are using the dictionary [rockyou.txt](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt).

To execute it, just make sure it has execution permissions and runs it.

```bash
chmod +x experiment.sh
./experiment.sh
```

It can take a while...
In the end, you're able to see the file results/users.txt with the users and raw passwords.

### Report

You can find a complete report, in French, of this assignment in the file [Devoir_Securit__2.pdf](https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/blob/master/Devoir_Securit__2.pdf).

### Authors

- Leonardo Monteiro
- Wellington Machado de Espindula
- Bassam Graini

### Exploit References

- <https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661>

文件快照


 [4.0K]  /data/pocs/1e2b6ca0bf7f46fa9324f0d9eb44eeee089589a8
├── [600K]  Devoir_Securit__2.pdf
├── [1.8K]  docker-compose.yml
├── [5.4K]  example.md
├── [ 536]  experiment.sh
├── [5.5K]  exploit.py
├── [ 137]  kill.sh
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 8 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。