LearnPress authenticated SQL injection
Metasploit contributor h00die added a new module that exploits CVE-2020-6010, an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with
contributor privileges or higher, the
id parameter can be used to inject arbitrary code through an
SQL query. This exploit can be used to collect usernames and password hashes. The responsible code is located in
learnpress/inc/admin/lp-admin-functions.php at line
1690. The vulnerability affects plugin versions
v188.8.131.52 and prior.
In addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor pingport80 added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own sjanusz-r7 added a default payload option to the
postgres_payload module so that payloads update correctly when changing target systems. An enhancement made by our own gwillcox-r7 extends Windows process lib injection beyond just
notepad.exe. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.
New module content (1)
- Wordpress LearnPress current_items Authenticated SQLi by Omri Herscovici, Sagi Tzadik, h00die, and nhattruong, which exploits CVE-2020-6010 - This collects usernames and password hashes from Wordpress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below
Enhancements and features
- #15384 from gwillcox-r7 - This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.
- #15477 from pingport80 - This adds PowerShell session support to the
read_filefunctions provided by the
- #15580 from sjanusz-r7 - Updates
postgres_payloadexploit modules to specify a valid default PAYLOAD option when changing target architectures
- #15584 from h00die - Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as
- #15496 from zeroSteiner - Users can now specify the SSL version for servers with the
SSLVersiondatastore option, ensuring compatibility with a range of targets old and new.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).