关联漏洞
标题:WordPress Plugin NotificationX 安全漏洞 (CVE-2024-1698)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin NotificationX 存在安全漏洞,该漏洞源于对用户提供的参数转义不充分以及对现有 SQL 查询缺乏充分的准备,很容易通过“type”参数受到 SQL 注入攻击。
Description
This is an exploit script to find out wordpress admin's username and password hash by exploiting CVE-2024-1698.
介绍
# CVE-2024-1698 Exploit Script - Wordpress NotificationX <= 2.8.2 - SQL Injection
This is an exploit script to find out wordpress admin's username and password hash by exploiting CVE-2024-1698.
This Python script is intended for educational purposes only. It demonstrates a proof of concept for exploiting CVE-2024-1698 SQL injection vulnerability to extract admin credentials (username and password hash) from a WordPress website's NotificationX Analytics API. **Please use this script responsibly and only on systems you are authorized to test. Unauthorized or malicious use is strictly prohibited.**
## Disclaimer
The author and contributors of this script are not responsible for any misuse, damage, or illegal activity caused by the use of this tool. **Use at your own risk.**
## Requirements
- Python 3.x
- `requests` library
## Usage
1. Ensure you have Python 3.x installed on your system.
2. Install the required dependencies by running:
pip install requests
3. Modify the `url`, `delay`, and other variables in the script according to your testing environment and requirements.
4. Run the script:
python exploit.py
5. The script will attempt to extract the admin username and password hash. Results will be displayed if successful.
## Legal and Ethical Considerations
- **Only use this script on systems you have explicit permission to test. Unauthorized access to computer systems is illegal and unethical.**
- Respect the privacy and security of others. Do not use this script to access sensitive information without proper authorization.
- Understand and comply with the laws and regulations governing penetration testing and ethical hacking in your jurisdiction.
- Use responsible disclosure practices if you discover security vulnerabilities while testing.
## Acknowledgements
This script is for educational purposes and was created to demonstrate the risks associated with SQL injection vulnerabilities. We encourage users to learn about web security best practices and contribute to improving the security posture of web applications.
Detail blog on CVE-2024-1698 by [White Hack Labs](https://whitehacklabs.com/)
: [Blog Post](https://ethicalhacking.uk/sql-injection-alert-dissecting-cve-2024-1698-in-notificationx-for-wordpress/)
## License
This script is licensed under the [MIT License](LICENSE). See the LICENSE file for details.
This README emphasizes responsible use, legal and ethical considerations, and encourages users to only use the script for educational purposes and with proper authorization.
文件快照
[4.0K] /data/pocs/21a8429b3757176f884d000c8acc6cede52d570c
├── [257K] cve-2024-1698.jpeg
├── [2.7K] exploit.py
└── [2.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。