Share
## https://sploitus.com/exploit?id=A85C092B-2B81-5BB7-909B-FE7CB2C9529A
# SSI-CVE-2022-21661

Information System's Security 2nd Assignment

Study and exploit the vulnerability CVE-2022-21661 that allows SQL Injections through plugins POST requests to WordPress versions below 5.8.3.

## Configuring the environment

To start and configure the environment, you should just run:

```bash
docker-compose run --rm wordpress-cli
```

### Requirements

- Docker
- Docker-Compose
- Python 3.9+
- Argparser
- Hashcat

## Running some examples

In example.md file, you can follow a little tutorial with some examples to get started with the exploit of this vulnerability.

## The exploit itself

First of all, ensure the file we're going to execute has execution permission.
So run the following command.

```bash
chmod +x exploit.py
```

Then, to run the exploit, you should run the following command replacing the \<payload\> with:

1. Dump database name.
2. Dump users table.

```bash
./exploit.py http://127.0.0.1:8000/wp-admin/admin-ajax.php [payload] [-l LIMIT_USER] [-o output]
```

## Going further

For going a little bit further, We prepared a script that runs our exploit and uses the data from the user's table, and, then, tries to recover the original passwords forcing a dictionary attack through hashcat.

For this attack, we are using the dictionary [rockyou.txt](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt).

To execute it, just make sure it has execution permissions and runs it.

```bash
chmod +x experiment.sh
./experiment.sh
```

It can take a while...
In the end, you're able to see the file results/users.txt with the users and raw passwords.

### Authors

- Leonardo Monteiro
- Wellington Machado de Espindula
- Bassam Graini

### Exploit References

- <https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661>