nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard
Published 4 months ago verified publisher icon projectdiscovery

[nuclei-template] WP Extension Download Monitor wp V 4.4.4 - SQL Injection

Open MrHarshvardhan opened this issue 5 months ago • 1 comments

id: wp-download-monitor-orderby-sqli-auth-detect info: name: Wordpress Download Monitor - authenticated detection for potential SQLi in orderby author: MrHarsh severity: Medium tags: wordpress,sqli,authenticated,download-monitor,detection-only description: | Detection-only. Logs in using provided credentials and probes the Download Monitor admin logs page (orderby parameter) with benign characters to detect DB error strings or reflection. requests:

  • id: get-login method: GET path:

    • "{{BaseURL}}/wp-login.php" extractors:
    • type: regex regex:
      • "name="_wpnonce" value="([^"]+)"" name: wpnonce group: 1

  • id: do-login depends-on:

    • get-login method: POST path:
    • "{{BaseURL}}/wp-login.php" body: "log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1&_wpnonce={{wpnonce}}" headers: Content-Type: application/x-www-form-urlencoded extractors:
    • type: regex regex:
      • "wordpress_logged_in_[^=]+=([^;]+)" name: wp_logged_in_cookie group: 1

  • id: check-dashboard depends-on:

    • do-login method: GET path:
    • "{{BaseURL}}/wp-admin/" matchers:
    • type: word words:
      • "Dashboard" condition: and

  • id: auth-probe depends-on:

    • do-login method: GET path:
    • "{{BaseURL}}/wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date%60"
    • "{{BaseURL}}/wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date%27"
    • "{{BaseURL}}/wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date%22"
    • "{{BaseURL}}/wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date%3B" headers: Cookie: "wordpress_logged_in={{wp_logged_in_cookie}}" matchers-condition: or matchers:
    • type: word words:
      • "You have an error in your SQL syntax"
      • "SQL syntax;"
      • "warning: mysql_"
      • "mysql_fetch"
      • "PG::SyntaxError"
      • "SQLite error"
      • "SQLSTATE"
      • "unclosed quotation mark after the character string"
      • "ORA-"
    • type: regex regex:
      • "(orderby=download_date%60|orderby=download_date%27|orderby=download_date%22|orderby=download_date%3B)" extractors:
    • type: regex regex:
      • "ORA-[0-9]+" name: db_oracle_error group: 0
    • type: regex regex:
      • "SQLSTATE\[[0-9A-Z_]+\]" name: sqlstate

MrHarshvardhan avatar Oct 31 '25 09:10 MrHarshvardhan

Hi @MrHarshvardhan, Thank you for taking the time to create this issue and for contributing to this project.

princechaddha avatar Nov 02 '25 14:11 princechaddha