Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0169 PoC — Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection

Source
https://github.com/X3RX3SSec/CVE-2022-0169
Associated Vulnerability
Title:Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection (CVE-2022-0169)
Description:The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Description
CVE-2022-0169 - WordPress Photo Gallery SQLi PoC
Readme
# CVE-2022-0169 — WordPress Photo Gallery SQLi PoC

This is a simple Python proof-of-concept (PoC) for **CVE-2022-0169**, an SQL injection vulnerability in the WordPress Photo Gallery plugin.

---

## What it does

* Checks the WordPress version (if available)  
* Exploits the vulnerable `admin-ajax.php` endpoint  
* Dumps `wp_users` usernames and password hashes  
* Saves results in timestamped folders  
* Prompts you to crack them with hashcat if you want

This tool is for **educational purposes only**. Use responsibly! Like you would listen to this.. 😆

---

##  🤌Usage

### 🖕 **Single target**

```bash
python3 exploit.py -u http://target.com
```

### 🖐️ **Multiple targets**

```bash
python3 exploit.py -f targets.txt
```

---

## 🕺 Options

| Option     | Description                                      |
|------------|--------------------------------------------------|
| `-u`       | Single target URL                                |
| `-f`       | File with list of targets                        |
| `-p`       | Proxy (e.g., `http://127.0.0.1:8080`)            |
| `-t`       | Number of threads (default: 5)                   |
| `-w`       | Choose wordlist for hashcat (default: rockyou.txt) Make sure that rockyou.txt is gunzipped!|

**Example:**

```bash
python3 exploit.py -u http://victim.com -w /usr/share/wordlists/rockyou.txt
```

---

**Requirements**

```bash
requests
argparse
colorama
```

## 🦠 Results

- Dumps are saved in `results/YYYYMMDD_HHMMSS/`
- One HTML dump per target
- Extracted hashes in separate files for easy cracking

When hashes are found, you’ll be asked:
```
Crack the hashes with hashcat now? [Y/N]:
```
If you hit `Y`, hashcat will run automatically using your selected wordlist.

---

## 🔫 Example attack flow

1. Run the script on your target(s).  
2. Check the `results/` folder for dumps and hashes.  
3. Crack them with hashcat:
   ```bash
   hashcat -m 400 -a 0 results/YYYYMMDD_HHMMSS/hashes.txt /usr/share/wordlists/rockyou.txt
   ```

---

## 📢 Disclaimer

This tool is for **educational and authorized testing** only.
You are solely responsible for how you use it.
Always get permission before scanning or exploiting any system.

Stay cyberpunk.  
**— X3RX3S**
File Snapshot

 [4.0K]  /data/pocs/73e13e7b54b24a64ef67b0443356f79917a07a07
├── [6.2K]  CVE-2022-0169.py
├── [1.2K]  LICENSE
├── [2.2K]  README.md
└── [802K]  Screenshot_20250709-095539__01.jpg

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →