Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0739 PoC — BookingPress < 1.0.11 - Unauthenticated SQL Injection

Source
https://github.com/viardant/CVE-2022-0739
Associated Vulnerability
Title:BookingPress < 1.0.11 - Unauthenticated SQL Injection (CVE-2022-0739)
Description:The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
Description
Exploit for WP BookingPress (< 1.0.11) based on destr4ct POC.
Readme
# CVE-2022-0739

My take on CVE-2022-0739 BookingPress exploit, based on [destr4ct](https://github.com/destr4ct/CVE-2022-0739)'s POC - just prettier.

## Example

Example usage against HackTheBox's MetaTwo machine, which hosts a WordPress with a vulnerable bookingpress plugin (version 1.0.10).

```bash
python booking-sqlinjector.py -u http://metapress.htb -nu http://metapress.htb/events/ -a -o db_dump
```

[![asciicast](https://asciinema.org/a/HeSO2mjs0g69V3a6KcvqwlM0P.svg)](https://asciinema.org/a/HeSO2mjs0g69V3a6KcvqwlM0P)

## Usage

```bash
usage: booking-sqlinjector.py [-h] -u URL [-o BASENAME] [-p PAYLOAD] [-a] [-v] (-n NONCE | -nu NONCE_URL)

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     URL of WordPress server with vulnerable plugin (http://example.domain)
  -o BASENAME, --out BASENAME
                        Output database schema and dump in JSON format
  -p PAYLOAD, --payload PAYLOAD
                        Payload to inject. Should start with ')'
  -a, --dump-all        Enables whole DB dump
  -v, --verbose         Enables verbose mode
  -n NONCE, --nonce NONCE
                        Nonce that you got as unauthenticated user
  -nu NONCE_URL, --nonce-url NONCE_URL
                        URL where nonce can be extracted (bookingprss form page)
```

## Installation

```bash
git clone https://github.com/viardant/CVE-2022-0739
cd CVE-2022-0739
pip install -r requirements.txt
```

## Disclaimer

TL:DR; For educational purposes only, do not break stuff that you don't own or have permission to pentest. If you use this program for any nefarious purposes, the cybersecurity gods may smite your computer with a malware so devastating, you'll wish you had just bought a Mac.
File Snapshot

 [4.0K]  /data/pocs/2484dc23a1d3e60a0653983b76c30962cb852659
├── [ 10K]  booking-sqlinjector.py
├── [ 34K]  LICENSE
├── [1.7K]  README.md
└── [  71]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →