## https://sploitus.com/exploit?id=A85C092B-2B81-5BB7-909B-FE7CB2C9529A
# SSI-CVE-2022-21661
Information System's Security 2nd Assignment
Study and exploit the vulnerability CVE-2022-21661 that allows SQL Injections through plugins POST requests to WordPress versions below 5.8.3.
## Configuring the environment
To start and configure the environment, you should just run:
```bash
docker-compose run --rm wordpress-cli
```
### Requirements
- Docker
- Docker-Compose
- Python 3.9+
- Argparser
- Hashcat
## Running some examples
In example.md file, you can follow a little tutorial with some examples to get started with the exploit of this vulnerability.
## The exploit itself
First of all, ensure the file we're going to execute has execution permission.
So run the following command.
```bash
chmod +x exploit.py
```
Then, to run the exploit, you should run the following command replacing the \<payload\> with:
1. Dump database name.
2. Dump users table.
```bash
./exploit.py http://127.0.0.1:8000/wp-admin/admin-ajax.php [payload] [-l LIMIT_USER] [-o output]
```
## Going further
For going a little bit further, We prepared a script that runs our exploit and uses the data from the user's table, and, then, tries to recover the original passwords forcing a dictionary attack through hashcat.
For this attack, we are using the dictionary [rockyou.txt](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt).
To execute it, just make sure it has execution permissions and runs it.
```bash
chmod +x experiment.sh
./experiment.sh
```
It can take a while...
In the end, you're able to see the file results/users.txt with the users and raw passwords.
### Report
You can find a complete report, in French, of this assignment in the file [Devoir_Securit__2.pdf](https://github.com/WellingtonEspindula/SSI-CVE-2022-21661/blob/master/Devoir_Securit__2.pdf).
### Authors
- Leonardo Monteiro
- Wellington Machado de Espindula
- Bassam Graini
### Exploit References
- <https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661>